Tools for Automated Verification of Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Summary Goal: Reliable concurrent programming Sub-goals: –Developing reliable concurrency controllers in Java –Developing reliable concurrent linked lists Approach: Model Checking –Refined Approach: Composite Model Checking Specification Language: Action Language Tools: –Composite Symbolic Library –Action Language Verifier

Students Joint work with my students: Tuba Yavuz-Kahveci Constantinos Bartzis Xiang Fu (co-advised with Jianwen Su) Aysu Betin-Can

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Difficulties in Concurrent Programming Concurrent programming is difficult and error prone –In sequential programming you only worry about the states of the variables –In concurrent programming you also have to worry about the states of the threads State space increases exponentially with the number of threads

Concurrent Programming in Java Java uses a variant of monitor programming Synchronization using locks –Each object has a lock synchronized(o) {... } Coordination using condition variables –Objects can be used as condition variables synchronized (condVar){ while (!condExp) wait(condVar);... notifyAll(condVar); }

Dangers in Java Concurrency Nested locks synchronized m(other) { other.m(); } Thread1: run() { o1.m(o2); } Thread2: run() { o2.m(o1); } o1 lock o2 lock Thread1Thread2

Dangers in Java Concurrency Missed notification notify(condVar); Forgotten condition check if(!condExp) wait(condVar); Dependency among multiple condition variables can be complicated –Conservative notification and condition check Inefficient –Optimizing the notification and condition checks Error prone

A simplified model of Seattle Tacoma International Airport from [Zhong 97] Example: Airport Ground Traffic Control Simulation

Control Logic An airplane can land using 16R only if no airplane is using 16R at the moment An airplane can takeoff using 16L only if no airplane is using 16L at the moment An airplane taxiing on one of the exits C3-C8 can cross runway 16L only if no airplane is taking off at the moment An airplane can start using 16L for taking off only if none of the crossing exits C3-C8 is occupied at the moment (arriving airplanes have higher priority) Only one airplane can use a taxiway at a time

Java Implementation Simulate behavior of each airplane with a thread Use a monitor (a Java class) –private variables for number of airplanes on each runway and each taxiway –methods of the monitor enforce the control logic Each thread calls the methods of the monitor based on the airport layout to move from one point to the next

Example Implementation public synchronized void C8_To_B11A() { while (!((numRW16L == 0) && (numB11A == 0))) wait(); numC8 = numC8 - 1; numB11A = numB11A + 1; notifyAll(); } This code is not efficient since every thread wakes up every other thread Using separate condition variables complicates the synchronization –nested locks

Difficulties In Implementing Concurrent Linked Lists Linked list manipulation is difficult and error prone –State of the heap: unbounded State space: –Sequential programming states of the variables –Concurrent programming states of the variables states of the threads –Concurrent linked lists states of the variables states of the threads state of the heap

Examples singly linked lists doubly linked lists stack queue single lock double lock –allows concurrent inserts and deletes next next n1n2 prev next n1n2 next prev next next n1n2top next next n1n2first last

Outline of Our Approach 1.Specify concurrency controllers and concurrent linked lists in Action Language 2.Verify their properties using composite model checking 3.Generate Java classes from the specifications which preserve their properties

Action Language Tool Set Action Language Parser Verifier Code Generator OmegaLibraryCUDDPackage Verified code (Java monitor classes) MONA Composite Symbolic Library PresburgerArithmeticManipulatorBDDManipulatorAutomataManipulator Action Language Specification

Outline Difficulties in concurrent programming A short history of model checking in 7 slides – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Idea 1: Temporal Logics for Reactive Systems [Pnueli FOCS 77, TCS 81] Transformational systems get input; compute something; return result; Reactive systems while (true) { receive some input, send some output } For reactive systems termination is not relevant pre and post-conditions are not enough Temporal Logics Invariant p (G p, AG p, p) Eventually p (F p, AF p, p) Next p : (X p, AX p, p) p Until q : ( p U q, A(p U q) ) AF(p), EG(p)F(p) p pp p G(p) LTLCTL p p p p p p p Branching vs. Linear Time

Idea 2: Automated Verification of Finite State Systems [Clarke and Emerson 81], [Queille and Sifakis 82] Transition Systems S : Set of states (finite) I  S : Set of initial states R  S  S : Transition relation Model checking problem: Given a temporal logic property, does the transition system satisfy the property? –Complexity: linear in the size of the transition system Verification vs. Falsification Verification: show: initial states  truth set of p Falsification: find: a state  initial states  truth set of  p generate a counter-example starting from that state

Idea 3: Temporal Properties  Fixpoints [Emerson and Clarke 80] pppp Initialstates initial states that satisfy EF(  p) initial states that violate AG(p)  initial states that violate AG(p) EF(  p)states that can reach  p  p Pre(  p) Pre(Pre(  p))... EF(  p)  states that can reach  p   p  Pre(  p)  Pre(Pre(  p)) ... EG(  p) Initialstates initial states that satisfy EG(  p) initial states that violate AF(p)  initial states that violate AF(p) EG(  p) states that can avoid reaching p  p Pre(  p) Pre(Pre(  p))... EG(  p)  states that can avoid reaching p   p  Pre(  p)  Pre(Pre(  p)) ... EF(  p)

Idea 4: Symbolic Model Checking [McMillan et al. LICS 90] Represent sets of states and the transition relation as Boolean logic formulas Fixpoint computation becomes formula manipulation –pre and post-condition computations: Existential variable elimination –conjunction (intersection), disjunction (union) and negation (set difference), and equivalence check Use an efficient data structure –Binary Decision Diagrams (BDDs)

Tool 1: SMV [McMillan 93] BDD-based symbolic model checker Finite state Temporal logic: CTL Focus: hardware verification –Later applied to software specifications, protocols, etc. SMV has its own input specification language –concurrency: synchronous, asynchronous –shared variables –boolean and enumerated variables –bounded integer variables (binary encoding) SMV is not efficient for integers, can be fixed

Idea 5: LTL Properties  Büchi automata [Vardi and Wolper LICS 86] Büchi automata: Finite state automata that accept infinite strings A Büchi automaton accepts a string when the corresponding run visits an accepting state infinitely often The size of the property automaton can be exponential in the size of the LTL formula G p p pp true F p p pp true G (F p) true p

Tool 2: SPIN [Holzmann 91, TSE 97] Explicit state, finite state Temporal logic: LTL Input language: PROMELA –Asynchronous processes –Shared variables –Message passing through (bounded) communication channels –Variables: boolean, char, integer (bounded), arrays (fixed size) Property automaton from the negated LTL property Product of the property automaton and the transition system (on-the-fly) Show that there is no accepting cycle in the product automaton Nested depth first search to look for accepting cycles If there is a cycle, it corresponds to a counterexample behavior that demonstrates the bug

Model Checking Research These 5 key ideas and 2 key tools inspired a lot of research [Clarke, Grumberg and Peled, 99] –efficient symbolic representations –partial order reductions –abstraction –compositional/modular verification –model checking infinite state systems (pushdown automata) –model checking real time systems –model checking hybrid systems –model checking programs –...

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Action Language [Bultan, ICSE 00], [Bultan, Yavuz-Kahveci, ASE 01] A state based language –Actions correspond to state changes States correspond to valuations of variables –boolean –enumerated –integer (possibly unbounded) –heap variables (i.e., pointers) Parameterized constants –specifications are verified for every possible value of the constant

Action Language Transition relation is defined using actions –Atomic actions: Predicates on current and next state variables –Action composition: asynchronous (|) or synchronous (&) Modular –Modules can have submodules –A modules is defined as asynchronous and/or synchronous compositions of its actions and submodules

Readers Writers Example module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module Reader() boolean reading; initial: !reading; rEnter: !reading and !busy and nr’=nr+1 and reading’; rExit: reading and !reading’ and nr’=nr-1; Reader: rEnter | rExit; endmodule module Writer()... endmodule main: Reader() | Reader() | Writer() | Writer(); spec: invariant([busy => nr=0]) endmodule S : Cartesian product of variable domains defines variable domains defines the set of states the set of states I : Predicates defining the initial states the initial states R : Atomic actions of the Reader Reader R : Transition relation of Reader defined as asynchronous composition of its atomic actions R : Transition relation of main defined as asynchronous composition of two Reader and two Writer processes

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Which Symbolic Representation to Use? BDDs canonical and efficient representation for Boolean logic formulas can only encode finite sets Linear Arithmetic Constraints can encode infinite sets two representations –polyhedral representation –automata representation not efficient for encoding boolean domains F F F T T x  y  {(T,T), (T,F), (F,T)} a > 0  b = a+1  {(1,2), (2,3), (3,4),...} T x y

Composite Model Checking [Bultan, Gerber, League ISSTA 98, TOSEM 00] Map each variable type to a symbolic representation –Map boolean and enumerated types to BDD representation –Map integer type to a linear arithmetic constraint representation Use a disjunctive representation to combine different symbolic representations: composite representation Each disjunct is a conjunction of formulas represented by different symbolic representations –we call each disjunct a composite atom

Composite Representation symbolic rep. 1 symbolic rep. 2 symbolic rep. t composite atom Example: x: integer, y: boolean x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y arithmetic constraint representation BDD arithmetic constraint representation BDD

Composite Symbolic Library [Yavuz-Kahveci, Tuncer, Bultan TACAS01], [Yavuz-Kahveci, Bultan STTT] Uses a common interface for each symbolic representation Easy to extend with new symbolic representations Enables polymorphic verification Multiple symbolic representations: –As a BDD library we use Colorado University Decision Diagram Package (CUDD) [Somenzi et al] –As an integer constraint manipulator we use Omega Library [Pugh et al]

Composite Symbolic Library Class Diagram CUDD LibraryOMEGA Library Symbolic +intersect() +union() +complement() +isSatisfiable() +isSubset() +pre() +post() CompSym –representation: list of comAtom +intersect() + union() BoolSym –representation: BDD +intersect() +union() IntSym –representation: Polyhedra +intersect() +union() compAtom –atom: *Symbolic

Composite Symbolic Representation b’ x: integer, y:boolean x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y : CompSym representation : List : ListNode next :*ListNode data : compAtom 0 1 y´y´ x>0 and x´=x y’=y x<=0 and x’=x

Pre and Post-condition Computation Variables: x: integer, y: boolean Transition relation: R: x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y Set of states: s: x=2 and !y or x=0 and !y Compute post(s,R)

Pre and Post-condition Distribute R: x>0 and x´  x-1 and y´ or x<=0 and x´  x and y´  y s: x=2 and !y or x=0 and y post(s,R) = post( x=2, x>0 and x´  x-1 )  post( !y, y´ ) x=1 y  post( x=2, x<=0 and x´  x )  post ( !y, y´  y ) false !y  post( x=0, x>0 and x´  x-1 )  post( y, y´ ) false y  post ( x=0, x<=0 and x´  x )  post ( y, y´  y ) x=0 y = x=1 and y or x=0 and y

Polymorphic Verifier Symbolic TranSys::check(Node *f) { Symbolic s = check(f.left) case EX: s.pre(transRelation) case EF: do sold = s s.pre(transRelation) s.union(sold) while not sold.isEqual(s) }  Action Language Verifier is polymorphic  It becomes a BDD based model checker when there or no integer variables

Heuristics for Composite Representation [Yavuz-Kahveci, Bultan FroCos 02] Masking –compute operations on BDDs first –avoid redundant computations on integer part Incremental subset check –Exploit the disjunctive structure by computing subset checks incrementally Interleaving pre-condition computation with the subset check in least-fixpoint computations Simplification –Reduce the number of disjuncts in the composite representation by iteratively merging matching disjuncts

Some Experiments Problem Instance All Heuristics Time (sec) Memory (MB) No Heuristics Time (sec) Memory (MB) Barber Barber  Bakery2i Bakery3i  Lightcontrol Without the simplification for 15 out of 39 problem instances the verifier ran out of memory

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Application to Concurrency Controllers [Yavuz-Kahveci, Bultan ISTTA 02] [Betin-Can, Bultan SoftMC 03] Outline of our approach: 1.Specify concurrency controllers and concurrent linked lists in Action Language 2.Verify their properties using composite model checking 3.Generate Java classes from the specifications which preserve their properties

Readers-Writers Controller module main() integer nr; boolean busy; restrict: nr>=0; initial: nr=0 and !busy; module Reader() boolean reading; initial: !reading; rEnter: !reading and !busy and nr’=nr+1 and reading’; rExit: reading and !reading’ and nr’=nr-1; Reader: rEnter | rExit; endmodule module Writer() boolean writing; initial: !writing; wEnter: !writing and nr=0 and !busy and busy’ and writing’; wExit: writing and !writing’ and !busy’; Writer: wEnter | wExit; endmodule main: Reader() | Reader() | Writer() | Writer(); spec: invariant([busy => nr=0]) endmodule

Arbitrary Number of Threads Counting abstraction –Create an integer variable for each local state of a thread –Each variable will count the number of threads in a particular state Local states of the threads have to be finite –Specify only the thread behavior that relates to the correctness of the controller –Shared variables of the controller can be unbounded Counting abstraction can be automated

Readers-Writers After Counting Abstraction module main() integer nr; boolean busy; parameterized integer numReader, numWriter; restrict: nr>=0 and numReader>=0 and numWriter>=0; initial: nr=0 and !busy; module Reader() integer readingF, readingT; initial: readingF=numReader and readingT=0; rEnter: readingF>0 and !busy and nr’=nr+1 and readingF’=readingF-1 and readingT’=readingT+1; rExit: readingT>0 and nr’=nr-1 readingT’=readingT-1 and readingF’=readingF+1; Reader: rEnter | rExit; endmodule module Writer()... endmodule main: Reader() | Writer(); spec: invariant([busy => nr=0]) endmodule Variables introduced by the counting abstractions Parameterized constants introduced by the counting abstractions

Verification of Readers-Writers Controller IntegersBooleansCons. Time (secs.) Ver. Time (secs.) Memory (Mbytes) RW RW RW RW RW RW-P SUN ULTRA 10 (768 Mbyte main memory)

What about the Java Implementation? We can automatically generate code from the controller specification –Generate a Java class –Make shared variables private variables –Use synchronization to restrict access Is the generated code efficient? –Yes! –We can synthesize the condition variables automatically –There is no unnecessary thread notification

Specific Notification Pattern [Cargill 96] public class ReadersWriters{ private int nr; private boolean busy; private Object rEnterCond, wEnterCond; private synchronized boolean Guard_rEnter() { if (!busy) { nr++; return true; } else return false; } public void rEnter() { synchronized(rEnterCond) { while(!Guard_rEnter()) rEnterCond.wait(); } public void rExit() { synchronized(this) { nr--; } synchronized(wEnterCond) { wEnterCond.notify(); } }... } All condition variables and wait and signal operations are generated automatically rEnter: !reading and !busy and nr’=nr+1 and reading’;

A simplified model of Seattle Tacoma International Airport from [Zhong 97] Example: Airport Ground Traffic Control

Action Language Specification module main() integer numRW16R, numRW16L, numC3,...; initial: numRW16R=0 and numRW16L=0 and...; module Airplane() enumerated pc {arFlow, touchDown, parked, depFlow, taxiTo16LC3,..., taxiFr16LB2,..., takeoff}; initial: pc=arFlow or pc=parked; reqLand: pc=arFlow and numRW16R=0 and pc’=touchDown and numRW16R’=numRW16R+1; exitRW3: pc =touchDown and numC3=0 and numC3’=numC3+1 and numRW16R’=numRW16R-1 and pc’=taxiTo16LC3;... Airplane: reqLand | exitRW3 |...; endmodule main: AirPlane() | Airplane() | Airplane() |....; spec: AG(numRW16R  1 and numRW16L  1) spec: AG(numC3  1) spec: AG((numRW16L=0 and numC3+numC4+...+numC8>0) => AX(numRW16L=0)) endmodule

Airport Ground Traffic Control Action Language specification –Has 13 integer variables –Has 6 Boolean variables per airplane process to keep the local state of each airplane –20 actions Automatically generated Java monitor class –Has 13 integer variables –Has 14 condition variables –Has 34 methods

Experiments ProcessesConstruction(sec)Verify-P1(sec)Verify-P2(sec)Verify-P3(sec) A,PD A,PD A,PD A,PD PA,2D PA,4D PA,8D PA,16D PA,PD A: Arriving Airplane D: Departing Airplane P: Arbitrary number of threads

Efficient Java Implementation public class airport { private int numRW16R; private int numRW16L; private int numC3;.... private Object CondreqLand; private Object CondexitRW3;... public airport() { numRW16R = 0 ; numRW16L = 0 ;... } private synchronized boolean Guarded_reqLand(){ if(numRW16R == 0) { numRW16R = numRW16R + 1; return true; }else return false ; } public void reqLand(){ synchronized(CondreqLand){ while (! Guarded_reqLand()){ try{ CondreqLand.wait(); } catch(InterruptedException e){;} }

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Heap Type [Yavuz-Kahveci, Bultan SAS 02] Heap type in Action Language heap {next} top; Heap type represents dynamically allocated storage top’=new; We need to add a symbolic representation for the heap type to the Composite Symbolic Library numItems > 2 => top.next != null

Concurrent Stack module main() heap {next} top, add, get, newTop; boolean mutex; integer numItems; initial: top=null and mutex and numItems=0; module push() enumerated pc {l1, l2, l3, l4}; initial: pc=l1 and add=null; push1: pc=l1 and mutex and !mutex’ and add’=new and pc’=l2; push2: pc=l2 and numItems=0 and top’=add and numItems’=1 and pc’=l3; push3: pc=l3 and top’.next =null and mutex’ and pc’=l1; push4: pc=l2 and numItems!=0 and add’.next=top and pc’=l4; push5: pc=l4 and top’=add and numItems’=numItems+1 and mutex’ and pc’=l1; push: push1 | push2 | push3 | push4 | push5; endmodule module pop()... endmodule main: pop() | pop() | push() | push() ; spec:AG(mutex =>(numItems=0 top=null)) spec: AG(mutex => (numItems>2 => top->next!=null)) endmodule

Shape Graphs Shape graphs represent the states of the heap Each node in the shape graph represents a dynamically allocated memory location Heap variables point to nodes of the shape graph The edges between the nodes show the locations pointed by the fields of the nodes add top next next n1n2 heap variables add and top point to node n1 add.next is node n2 top.next is also node n2 add.next.next is null

Composite Symbolic Library CUDD LibraryOMEGA Library Symbolic +union() +isSatisfiable() +isSubset() +forwardImage() CompSym –representation: list of comAtom + union() BoolSym –representation: BDD +union() compAtom –atom: *Symbolic HeapSym –representation: list of ShapeGraph +union() IntSym –representation: list of Polyhedra +union() ShapeGraph –atom: *Symbolic

Forward Fixpoint pc=l1  mutex numItems=2 add top   pc=l2   mutex  numItems=2 addtopBDD arithmetic constraint representation A set of shape graphs  pc=l4   mutex  numItems=2  addtop  pc=l1  mutex  numItems=3  addtop

Post-condition Computation: Example pc=l4   mutex  numItems=2  addtop pc=l4 and mutex’ pc’=l1 pc=l1  mutex numItems’=numItems+1  numItems=3 top’=add   addtop set of states transitionrelation

Fixpoints Do Not Converge We have two reasons for non-termination –integer variables can increase without a bound –the number of nodes in the shape graphs can increase without a bound The state space is infinite Even if we ignore the heap variables, reachability is undecidable when we have unbounded integer variables So, we use conservative approximations

Conservative Approximations Compute a lower ( p  ) or an upper ( p + ) approximation to the truth set of the property ( p ) Model checker can give three answers: I p pppp “The property is satisfied” I p “I don’t know” “The property is false and here is a counter-example” I p  p p p p sates which violate the property p+p+p+p+ pppp

Conservative Approximations Truncated fixpoint computations –To compute a lower bound for a least-fixpoint computation –Stop after a fixed number of iterations Widening –To compute an upper bound for the least-fixpoint computation –We use a generalization of the polyhedra widening operator by [Cousot and Halbwachs POPL’77] Summarization –Generate summary nodes in the shape graphs which represent more than one concrete node

Summarization The nodes that form a chain are mapped to a summary node No heap variable points to any concrete node that is mapped to a summary node Each concrete node mapped to a summary node is only pointed by a concrete node which is also mapped to the same summary node During summarization, we also introduce an integer variable which counts the number of concrete nodes mapped to a summary node

Summarization Example pc=l1  mutex numItems=3 add top   pc=l1  mutex numItems=3  summarycount=2 add top  summary node a new integer variable representing the number of concrete nodes encoded by the summary node After summarization, it becomes: summarized nodes

Simplification pc=l1  mutex  numItems=3  summaryCount=2 addtop pc=l1  mutex add top   numItems=4  summaryCount=3  = pc=l1  mutex add top   (numItems=4  summaryCount=3  numItems=3  summarycount=2)

Simplification On the Integer Part pc=l1  mutex add top   (numItems=4  summaryCount=3  numItems=3  summaryCount=2) = pc=l1  mutex add top  numItems=summaryCount+1  3  numItems  numItems  4

Widening Fixpoint computation still will not converge since numItems and summaryCount keep increasing without a bound We use the widening operation: –Given two composite atoms c 1 and c 2 in consecutive fixpoint iterates, assume that c 1 = b 1  i 1  h 1 c 2 = b 2  i 2  h 2 where b 1 = b 2 and h 1 = h 2 and i 1  i 2 Assume that i 1 is a single polyhedron and i 2 is also a single polyhedron

Widening Then –i 1  i 2 is defined as: all the constraints in i 1 which are also satisfied by i 2 Replace i 2 with i 1  i 2 in c 2 This generates an upper approximation to the forward- fixpoint computation

Widening Example pc=l1  mutex add top  numItems=summaryCount+1  3  numItems  numItems  4 pc=l1  mutex add top  numItems=summaryCount+1  3  numItems  numItems  5  pc=l1  mutex add top  numItems=summaryCount+1  3  numItems = Now, fixpoint converges

Verified Properties SpecificationVerified Invariants Stack top=null  numItems=0 top  null  numItems  0 numItems=2  top.next  null Single Lock Queue head=null  numItems=0 head  null  numItems  0 (head=tail  head  null)  numItems=1 head  tail  numItems  0 Two Lock Queue numItems>1  head  tail numItems>2  head.next  tail

Experimental Results Number of Threads Queue HC Queue IC Stack HC Stack IC 2Lock Queue HC 2Lock Queue IC 1P-1C P-2C P-4C  1P-PC  PP-1C  HC : heap control IC : integer control Verification times in secs

Verifying Linked Lists with Multiple Fields Pattern-based summarization –User provides a graph grammar rule to describe the summarization pattern L x = next x y, prev y x, L y Represent any maximal sub-graph that matches the pattern with a summary node –no node in the sub-graph pointed by a heap variable

Summarization Pattern Examples... nnn L x  x.n = y, L y... nnn L x  x.n = y, y.p = x, L y ppp L x  x.n = y, x.d = z, L y... nnn d d d

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Shape Analysis There is a lot of work on Shape analysis, I will just mention the ones which directly influenced us: –[Sagiv,Reps, Wilhelm TOPLAS’98], [Dor, Rodeh, Sagiv SAS’00] Verification of concurrent linked lists with arbitrary number of processes in –[Yahav POPL’01] 3-valued logic and instrumentation predicates –[Sagiv,Reps, Wilhelm TOPLAS], [Lev-Ami, Reps, Sagiv, Wilhelm ISSTA 00] Automatically generating instrumentation predicates –[Sagiv,Reps, Wilhelm ESOP 03]

Shape Analysis Deutch used integer constraint lattices to compute aliasing information using symbolic access paths –[Deutch PLDI’94] The idea of summarization patterns is based on the shape types introduced in – [Fradet and Metayer POPL 97]

Model Checking Software Specifications [Atlee, Gannon 93] –Translating SCR mode transition tables to input language of explicit state model checker EMC [Clarke, Emerson, Sistla 86] [Chan et al. 98,00] –Translating RSML specifications to input language of SMV [Bharadwaj, Heitmeyer 99] –Translating SCR specifications to Promela, input language of automata-theoretic explicit state model checker SPIN

Specification Languages Specification languages for verification –[Milner 80] CCS –[Chandy and Misra 88] Unity –[Lamport 94] Temporal Logic of Actions (TLA) Specification languages for model checking –[Holzmann 98] Promela –[McMillan 93] SMV –[Alur and Henzinger 96, 99] Reactive Modules

Action Language TLA Connection Similarities: –Transition relation is defined using predicates on current (unprimed) and next state (primed) variables –Each predicate is defined using integer arithmetic, boolean logic, etc. Differences: In Action Language –Temporal operators are not used in defining the transition relation Dual language approach: temporal properties (in CTL) are redundant, they are used to check correctness –Synchronous and asynchronous composition operators are not equivalent to logical operators

Constraint-Based Verification [Cooper 71] –Used a decision procedure for Presburger arithmetic to verify sequential programs represented in a block form [Cousot and Halbwachs 78] –Used real arithmetic constraints to discover invariants of sequential programs [Halbwachs 93] –Constraint based delay analysis in synchronous programs [Halbwachs et al. 94] –Verification of linear hybrid systems using constraint representations [Alur et al. 96] –HyTech, a model checker for hybrid systems

Constraint-Based Verification [Boigelot and Wolper 94] –Verification with periodic sets [Boigelot et al.] –Meta-transitions, accelerations [Delzanno and Podelski 99] –Built a model checker using constraint logic programming framework [Boudet Comon], [Wolper and Boigelot ‘00] –Translating linear arithmetic constraints to automata

Automata-Based Representations [Klarlund et al.] –MONA, an automata manipulation tool for verification [Boudet Comon] –Translating linear arithmetic constraints to automata [Wolper and Boigelot ‘00] –verification using automata as a symbolic representation [Kukula et al. 98] –application of automata based verification to hardware verification

Combining Symbolic Representations [Chan et al. CAV’97] –both linear and non-linear constraints are mapped to BDDs –Only data-memoryless and data-invariant transitions are supported [Bharadwaj and Sims TACAS’00] –Combines automata based representations (for linear arithmetic constraints) with BDDs –Specialized for inductive invariant checking [Bensalem et al. 00] –Symbolic Analysis Laboratory –Designed a specification language that allows integration of different verification tools

Model Checking Programs Verisoft from Bell Labs [Godefroid POPL 97] –C programs, handles concurrency, bounded search, bounded recursion, stateless search Java Path Finder (JPF) at NASA Ames [Havelund, Visser] –Explicit state model checking for Java programs, bounded search, bounded recursion, handles concurrency SLAM project at Microsoft Research [Ball, Rajamani et al. SPIN 00, PLDI 01] –Symbolic model checking for C programs, unbounded recursion, no concurrency –Uses predicate abstraction [Saidi, Graf 97] and BDDs BANDERA: A tool for extracting finite state models from programs [Dwyer, Hatcliff et al ICSE 00, 01]

Outline Difficulties in concurrent programming A short history of model checking – 5 key ideas + 2 key tools Action Language Composite Symbolic Library Application to concurrency controllers Application to concurrent linked lists Related work Current and future work

Current and Future Work Automata representation for linear arithmetic constraints Interface based specification and verification of concurrency controllers Specification and verification of web services

Automata Representation for Arithmetic Constraints [Bartzis, Bultan, CIAA 02], [Bartzis, Bultan, IJFCS] [Bartzis, Bultan TACAS 03], [Bartzis, Bultan CAV 03] Given a linear arithmetic formula construct a deterministic finite automaton that accepts the integers that satisfy the formula. Used MONA package Complexity results -210 sink 0 1 0, , , , , 1, 0, A finite automaton for 2x - 3y = 2

Concurrency Controllers and Interfaces [Betin-Can, Bultan SoftMC 03] Concurrency Controller – Behavior: How do the shared variables change – Interface: In which order are the methods invoked Separate Verification – Behavior verification Action Language Verifier – Interface verification Java PathFinder A modular approach – Build complex concurrency controllers by composing interfaces

Example Interface reqLand exitRW3crossRW3 park2 reqTakeOff leave exitRW4 exitRW5 exitRW6 exitRW7 exitRW8 crossRW5 crossRW6 crossRW7 crossRW8 crossRW4 park11 park10 park9 park7

Verification of Web Services [Fu, Bultan, Hull, Su TACAS 01, WES 02], [Bultan,Fu,Hull, Su WWW 03], [Fu, Bultan, Su CIAA 03] Verification of Vortex workflows using SMV and Action Language Verifier A top-down approach to specification and verification of composite web services –Specify the composite web service as a conversation protocol –Generate peer specifications from the conversation protocol Realizability conditions Working on the application of this framework to BPEL

Conversation Protocol A  B:msg1 B  A:msg2 B  C:msg3C  B:msg4 B  C:msg5 G(msg1  F(msg3  msg5)) ? LTL property Model Checking !msg1 ?msg2 Peer A ?msg1 !msg2 !msg5 !msg3 ?msg4 Peer B ?msg3 !msg4 Peer C Peer APeer BPeer C msg1 msg2, msg6 msg3, msg5 msg4 Conversation Schema Peer Synthesis Input Queue... Virtual Watcher ?msg6 B  A:msg6 !msg6 ?msg5

The End