Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Slides:



Advertisements
Similar presentations
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Advertisements

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Introduction to WSDL presented by Xiang Fu. Source WSDL 1.1 specification WSDL 1.1 specification – WSDL 1.2 working draft WSDL.
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Background Concurrent access to shared data can lead to inconsistencies Maintaining data consistency among cooperating processes is critical What is wrong.
CS 290C: Formal Models for Web Software Lectures 14: Formal Modeling and Analysis of Orchestration and Choreography Specifications Instructor: Tevfik Bultan.
Spring, Hibernate and Web Services 13 th September 2014.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Extended Interface Grammars for Automated Stub Generation Graham Hughes Tevfik Bultan Department of Computer Science University of California, Santa Barbara.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Action Language: A Specification Language for Model Checking Reactive Systems Tevfik Bultan Department of Computer Science University of California, Santa.
272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lectures 13: Modularity, Interfaces and Verification.
A Tool for Choreography Analysis Using Collaboration Diagrams Tevfik Bultan University of California Santa Barbara Xiang Fu Hofstra University Chris Ferguson.
An Overview of Web Service Standards Tevfik Bultan Department of Computer Science University of California, Santa Barbara.
Structuring Software for Verifiability Tevfik Bultan Department of Computer Science University of California, Santa Barbara
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Modularity, Interfaces, and Verification Tevfik Bultan Department of Computer Science University of California, Santa Barbara.
Specification of Realizable Service Conversations Using Collaboration Diagrams Tevfik Bultan Department of Computer Science University of California, Santa.
Client and Server Verification for Web Services Using Interface Grammars Graham Huges, Tevfik Bultan, Muath Alkhalaf Department of Computer Science University.
Interface Grammars for Modular Software Verification Tevfik Bultan Department of Computer Science University of California, Santa Barbara.
A Top-Down Approach to Modeling Global Behaviors of Web Services Xiang Fu, Tevfik Bultan and Jianwen Su Department of Computer Science University of California,
Tools for Automated Verification of Web Services Tevfik Bultan Department of Computer Science University of California, Santa Barbara
Analyzing Conversations of Web Services Tevfik Bultan Department of Computer Science University of California, Santa Barbara
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Service Choreography and Orchestration with Conversations Tevfik Bultan Department of Computer Science University of California, Santa Barbara
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 2: Software Verification with JPF, ALV and Design for Verification.
Adapting Legacy Computational Software for XMSF 1 © 2003 White & Pullen, GMU03F-SIW-112 Adapting Legacy Computational Software for XMSF Elizabeth L. White.
T Network Application Frameworks and XML Web Services and WSDL Sasu Tarkoma Based on slides by Pekka Nikander.
Object-Oriented Implementation of Reconciliations M.Sc. Seminar Talk by Costa Shapiro under supervision of Prof. Shmuel Katz Computer Science – Technion.
A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
Rebecca Modeling Language Mahdieh Ahmadi Verification of Reactive Systems March 2014.
Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.
Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.
Institute e-Austria in Timisoara 1 Author: prep. eng. Calin Jebelean Verification of Communication Protocols using SDL ( )
Java Threads 11 Threading and Concurrent Programming in Java Introduction and Definitions D.W. Denbo Introduction and Definitions D.W. Denbo.
CS6133 Software Specification and Verification
Semaphores, Locks and Monitors By Samah Ibrahim And Dena Missak.
Specification, Verification, and Synthesis of Concurrency Control Components Tuba Yavuz-Kahveci Tevfik Bultan Department of Computer Science University.
Internet Software Development Controlling Threads Paul J Krause.
Basic Concepts of Component- Based Software Development (CBSD) Model-Based Programming and Verification.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Course: COMS-E6125 Professor: Gail E. Kaiser Student: Shanghao Li (sl2967)
Model Checking for Simple Java Programs Taehoon Lee, Gihwon Kwon Department of Computer Science Kyonggi University, Korea IWFST, Shanghai, China,
Qusay H. Mahmoud CIS* CIS* Service-Oriented Computing Qusay H. Mahmoud, Ph.D.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
Synchronizability for Verification of Asynchronously Communicating Systems Samik Basu Iowa State University Tevfik Bultan University of California at Santa.
Banaras Hindu University. A Course on Software Reuse by Design Patterns and Frameworks.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
SystemC Semantics by Actors and Reduction Techniques in Model Checking Marjan Sirjani Formal Methods Lab, ECE Dept. University of Tehran, Iran MoCC 2008.
Verifying Component Substitutability Nishant Sinha Sagar Chaki Edmund Clarke Natasha Sharygina Carnegie Mellon University.
Jackson, Web Technologies: A Computer Science Perspective, © 2007 Prentice-Hall, Inc. All rights reserved Chapter 9 Web Services: JAX-RPC,
Added Value to XForms by Web Services Supporting XML Protocols Elina Vartiainen Timo-Pekka Viljamaa T Research Seminar on Digital Media Autumn.
Specifying Multithreaded Java semantics for Program Verification
Chapter 9 Web Services: JAX-RPC, WSDL, XML Schema, and SOAP
Automatic Derivation, Integration and Verification
A Refinement Calculus for Promela
Presentation transcript:

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Joint Work with My Students Design for verification –Aysu Betin-Can (PhD 2005) Verification of Service Interactions –Xiang Fu (PhD 2004) Action Language Verifier –Tuba Yavuz-Kahveci (PhD 2004) –Constantinos Bartzis (PhD 2004) Interface Grammars –Graham Hughes (PhD candidate)

Verification Tools, Concurrency Problems Action Language Verifier Verification of Synchronization in Concurrent Programs Synchronizability Analysis Analyzing Web Service Interactions Design for Verification uses enables

Read-Write Lock in Action Language module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module ReaderWriter() enumerated state {idle, reading, writing}; initial: state=idle; r_enter: state=idle and !busy and nr’=nr+1 and state’=reading; r_exit: state=reading and nr’=nr-1 and state’=idle; w_enter: state=idle and !busy and nr=0 busy’ and state’=writing; w_exit: state=writing and !busy’ and state’=idle; ReaderWriter: r_enter | r_exit | w_enter | w_exit; endmodule main: ReaderWriter() | ReaderWriter() | ReaderWriter(); spec: invariant(busy => nr=0) spec: invariant(busy => eventually(!busy)) endmodule S : Cartesian product of variable domains defines variable domains defines the set of states the set of states I : Predicates defining the initial states the initial states R : Atomic actions of a single process a single process R : Transition relation of a process, defined as process, defined as asynchronous asynchronous composition of its composition of its atomic actions atomic actions R : Transition relation of main, defined as asynchronous composition of three processes

A Java Read-Write Lock Implementation class ReadWriteLock { private Object lockObj; private int totalReadLocksGiven; private boolean writeLockIssued; private int threadsWaitingForWriteLock; public ReadWriteLock() { lockObj = new Object(); writeLockIssued = false; } public void getReadLock() { synchronized (lockObj) { while ((writeLockIssued) || (threadsWaitingForWriteLock != 0)) { try { lockObj.wait(); } catch (InterruptedException e) { } } totalReadLocksGiven++; } } public void getWriteLock() { synchronized (lockObj) { threadsWaitingForWriteLock++; while ((totalReadLocksGiven != 0) || (writeLockIssued)) { try { lockObj.wait(); } catch (InterruptedException e) { // } } threadsWaitingForWriteLock--; writeLockIssued = true; } } public void done() { synchronized (lockObj) { //check for errors if ((totalReadLocksGiven == 0) && (!writeLockIssued)) { System.out.println(" Error: Invalid call to release the lock"); return; } if (writeLockIssued) writeLockIssued = false; else totalReadLocksGiven--; lockObj.notifyAll(); } } } Where are the guarded commands? How do we translate this to Action Language? Action Language Verifier Verification of Synchronization in Java Programs

Design for Verification Abstraction and modularity are key both for successful designs and scalable verification techniques The question is: –How can modularity and abstraction at the design level be better integrated with the verification techniques which depend on these principles? Our approach: –Structure software in ways that facilitate verification –Document the design decisions that can be useful for verification –Improve the applicability and scalability of verification using this information

A Design for Verification Approach We have been investigating a design for verification approach based on the following principles: 1.Use of design patterns that facilitate automated verification 2.Use of stateful, behavioral interfaces which isolate the behavior and enable modular verification 3.An assume-guarantee style modular verification strategy that separates verification of the behavior from the verification of the conformance to the interface specifications 4.A general model checking technique for interface verification 5.Domain specific and specialized verification techniques for behavior verification Avoids usage of error-prone Java synchronization primitives: synchronize, wait, notify Separates controller behavior from the threads that use the controller: Supports a modular verification approach which exploits this modularity for scalable verification

Interface Machine Thread 1Thread 2Thread n Thread 1 Controller Shared Data Interface Machine Thread 2 Interface Machine Thread n Thread Modular Interface Verification Concurrent Program Controller Behavior Modular Behavior Verification Modular Design / Modular Verification Interface

Concurrent Program Controller Classes Thread Classes Controller Interface Machine Controller Behavior Machine Java Path Finder Action Language Verifier Thread Isolation Thread Class Counting Abstraction Interface Verification Behavior Verification Verification Framework

Outline Action Language Verifier Verification of Synchronization in Concurrent Programs Synchronizability Analysis Analyzing Web Service Interactions Design for Verification uses enables

Web Services Loosely coupled, interaction through standardized interfaces Standardized data transmission via XML Asynchronous messaging Platform independent (.NET, J2EE) Data Type Service Composition Message WSBPEL Web Service Standards Implementation Platforms Microsoft.Net, Sun J2EE WSDL SOAP XML Schema XML WSCDL Interaction

A Model for Composite Web Services A composite web service consists of –a finite set of peers and a finite set of messages We assume that the messages among the peers are exchanged using reliable and asynchronous messaging –FIFO and unbounded message queues A conversation is the global sequence of messages exchanged among the peers participating to a composite service Model checking problem: Given an LTL property, does the conversation set satisfy the property?

Synchronizability Analysis We know that analyzing conversations of composite web services is difficult due to asynchronous communication –Can we identify the composite web services where asynchronous communication does not create a problem? A composite web service is synchronizable, if its conversation set does not change when asynchronous communication is replaced with synchronous communication If a composite web service is synchronizable we can check properties about its conversations using synchronous communication semantics We built a tool called Web Service Analysis Tool (WSAT), which checks sufficient conditions for synchronizability –Requires each peer participating to the composite service to be specified as a state machine

Checking Service Implementations Web service implementations are written using programming languages such as Java, C#, etc. Synchronizability analysis works on state machine models How do we generate the state machines from the Java code? Synchronizability Analysis Checking Service Implementations

Design for Verification Approach Use the same principles: 1.Use of design patterns that facilitate automated verification 2.Use of stateful, behavioral interfaces which isolate the behavior and enable modular verification 3.An assume-guarantee style modular verification strategy that separates verification of the behavior from the verification of the conformance to the interface specifications 4.A general model checking technique for interface verification 5.Domain specific and specialized verification techniques for behavior verification

Interface Machine Peer 1 Peer 2Peer n Peer 1 Interface Machine Peer 2 Interface Machine Peer n Peer Modular Interface Verification Composite Service Conversation Behavior Modular Conversation Verification Modular Design / Modular Verification interface

Composite Service Peer State Machine Promela Java Path Finder Spin Peer Code Interface Verification Verification Framework Thread Peer State Machines WSAT Synchronizability Analysis Conversation Verification Promela Translation

Conclusions Once the behavior is isolated (using concurrency controller or peer controller patterns) behavior verification was quite efficient –Use of domain specific behavior verification techniques has been very effective –Model checking research resulted in numerous verification techniques and tools which can be customized for specific classes of software systems Interface verification (which is less specialized) was very hard –It is necessary to find effective behavioral interface specification and verification techniques –Check out our recent work on interface grammars!

Conclusions We were able to use our design for verification approach based on design patterns and behavioral interfaces in different domains Automated verification techniques can scale to realistic software systems using a design for verification approach

THE END