Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan

Software Model Checking Exhaustively test code Exhaustively test code –On all possible schedules –On all possible inputs –Within a bounded finite domain

Software Model Checking Initial State State Space Explosion! Transitions

State Space Reduction Many software model checkers Many software model checkers –Verisoft, JPF, CMC, SLAM, Blast, Magic, … Many state space reduction techniques Many state space reduction techniques –Partial order reduction –Predicate abstraction Effective for control-oriented properties Effective for control-oriented properties Our work focuses on data-oriented properties Our work focuses on data-oriented properties

Our Approach: Tree Example Our system detects that it suffices to check: Our system detects that it suffices to check: –Every operation on every tree path –Rather than every operation on every tree Red-black tree: O(n 3 ) paths, O(n n ) trees Red-black tree: O(n 3 ) paths, O(n n ) trees Significant speedup to model checking Significant speedup to model checking

O(n 2 ) statesO(n) states Glass Box Model Checking backfrontenqueuedequeue Glass Box model checkerTraditional (black-box) model checker O(n 2 ) transitionsO(n) transitions 0, 1 0, 0 3, 0 0, 2 1, 0 2, 0 2, 1 1, 1 1, 2 0, 3 4, 0 3, 1 2, 2 1, 3 0, 4 0, 1 0, 0 3, 0 0, 2 1, 0 2, 0 2, 1 1, 1 1, 2 0, 3 4, 0 3, 1 2, 2 1, 3 0, 4

Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion

Glass Box: Challenges State space organization State space organization

State Space Reachability We cannot use reachability through transitions (black-box approach) We cannot use reachability through transitions (black-box approach) Programmers must provide a class invariant Programmers must provide a class invariant State space: the set of all type-correct states within a specified bound which satisfy the invariant State space: the set of all type-correct states within a specified bound which satisfy the invariant State is disconnected, but we still need to check one of its transitions!

class LinkedList { static class Node { Node next; Object value; } Node head; boolean repOk() { Set visited = new java.util.HashSet(); for (Node n = head; n != null; n = n.next) { if (!visited.add(n)) return false; } return true; } } class LinkedList { static class Node { tree Node next; Object value; } tree Node head; boolean repOk() { // writing invariants is easy and fun! return true; } Invariants: Specification Singly-linked list: absence of cycles Singly-linked list: absence of cycles java.util.TreeMap 1670 lines of code 20 lines of invariant

Glass Box: Search Algorithm I = states satisfying the invariant S = I × { transitions } while (S is not empty) { t = any transition in S t = any transition in S run t run t verify the post-condition verify the post-condition T = { transitions similar to t } T = { transitions similar to t } S = S – T S = S – T} How do we represent these sets, and perform operations on them, efficiently?

Glass Box: Challenges State space organization State space organization –Class invariants State space representation State space representation –Binary decision diagrams

Binary Decision Diagrams Compact representation of exponentially large yet structured sets Perform set operations directly root is null left is null right is null root is red left is red root is red  left is red right is red      

BDDs: Red-Black Trees Max Height Set Size BDD Size

Glass Box: Challenges State space organization State space organization –Class invariants State space representation State space representation –Binary decision diagrams State space reduction State space reduction –Monitoring field access –Monitoring information flow –Pruning isomorphic structures –Ensuring soundness

Monitoring Field Access t := op = pop ۸ head = n 0 ۸ n 0.value = 3 ۸ n 0.next = n 1 ۸ n 1.value = 7 ۸ n 1.next = n 2 ۸ n 2.value = 4 ۸ n 2.next = n 3 ۸ n 3.value = 2 ۸ n 3.next = null Object pop() { if (head == null) return null; Object v = head.value; head = head.next; return v; } n0n0 n1n1 n2n2 n3n head ۸head = n 0 ۸ n 0.value = 3 ۸ n 0.next = n 1 T := op = pop ۸ head = n 0 ۸ n 0.value = 3 ۸ n 0.next = n 1 ۸head = n 0 ۸ n 0.next = n 1 T := op = pop ۸ head = n 0 ۸ n 0.next = n 1

Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion

Performance: Stack Max Size BDD Nodes Transitions Glass Box JPF Black Box

Performance: Stack Max Size BDD Nodes Time (s) Glass Box JPF Black Box

Performance: Queue Max Size BDD Nodes Transitions Glass Box JPF Black Box

Performance: Queue Max Size BDD Nodes Time (s) Glass Box JPF Black Box

Performance: Red-Black Tree Max Height BDD Nodes Transitions Glass Box JPF Black Box Only 10 seconds to verify over 2 70 red-black trees!

Performance: Red-Black Tree Max Height BDD Nodes Time (s) Glass Box JPF Black Box Only 10 seconds to verify over 2 70 red-black trees!

Performance: File System Max Height BDD Nodes Transitions Glass Box JPF Black Box

Performance: File System Max Height BDD Nodes Time (s) Glass Box JPF Black Box

Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion

Related Work Software model checkers Software model checkers –Verisoft [Godefroid] –Java PathFinder [Visser et al] –CMC [Musuvathi, Park, Chou, Engler, Dill] –Bandera [Corbett, Dwyer, Hatcliff, Robby, et al] –Bogor [Dwyer, Hatcliff, Hoosier, Robby] –SLAM [Ball, Majumdar, Millstein, Rajamani] –Blast [Henzinger, Jhala, Majumdar] –Magic [Chaki, Clarke, Groce, Jha, Veith] –XRT [Grieskamp, Tillmann, Shulte] –JCAT [DeMartini, Iosif, Sisto]

Related Work State space reduction techniques State space reduction techniques –Abstraction & refinement [SLAM; Blast; Magic] –Partial order reduction [Godefroid; Flanagan] –Heap canonicalization [Musuvathi, Dill; Iosif] –Symmetry reduction [Ip, Dill]

Related Work Static analysis tools Static analysis tools –TVLA [Sagiv, Reps, Wilhelm] –PALE [Moeller, Schwartzbach] Formal verification using theorem provers Formal verification using theorem provers –ESC/Java [Nelson et al] –ACL2 [Kaufmann, Moore, et al]

Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion

Future Work Data structures are just the beginning Data structures are just the beginning Applicable to any system where we can: Applicable to any system where we can: –Describe the state space using invariants –Transitions depend on a small part of the state Can significantly speedup model checking Can significantly speedup model checking