An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer.

Slides:

Advertisements

Similar presentations

Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)

Advertisements

Model Checking Concurrent Software Shaz Qadeer Microsoft Research.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

1 BOGOR – A Flexible Framework For Creating Model Checkers Presented by : Roli Shrivastava 20 March 2007.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

Bogor Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Rockwell-Collins.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

1 Introduction to CS Agenda Syllabus Schedule Lecture: the management of complexity.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.

Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.

Reuse Activities Selecting Design Patterns and Components

C++ fundamentals.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

Extensible Plug-ins for Aspect-Oriented Programming Macneil Shonle*Ankit Shah.

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright , Matt Dwyer, John Hatcliff,

Selected Topics in Software Engineering - Distributed Software Development.

Generative Programming. Automated Assembly Lines.

Chapter 8 Object Design Reuse and Patterns. Object Design Object design is the process of adding details to the requirements analysis and making implementation.

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

Model construction and verification for dynamic programming languages Radu Iosif

CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.

Verification of obstruction-free algorithm with contention management Niloufar Shafiei.

Virtual Machines, Interpretation Techniques, and Just-In-Time Compilers Kostis Sagonas

CPS 506 Comparative Programming Languages Syntax Specification.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

Adapting Side-Effects Analysis for Modular Program Model Checking M.S. Defense Oksana Tkachuk Major Professor: Matthew Dwyer Support US National Science.

Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,

© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.

Testing OO software. State Based Testing State machine: implementation-independent specification (model) of the dynamic behaviour of the system State:

1 Bogor – Software Model Checking Framework Presented by: Arpita Gandhi.

On Implementing High Level Concurrency in Java G Stewart von Itzstein Mark Jasiunas University of South Australia.

PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.

1 Programming Languages (CS 550) Lecture 2 Summary Mini Language Interpreter Jeremy R. Johnson.

/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.

CS5205Semantics1 CS5205: Foundation in Programming Languages Semantics Static Semantics Dynamic Semantics Operational Semantics Big-step Small-Step Denotational.

Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

Examples (D. Schmidt et al)

Chapter 1 Introduction.

Chapter 1 Introduction.

Model Checking Software Using The Bogor Framework

Space-Reduction Strategies for Model Checking Dynamic Software

runtime verification Brief Overview Grigore Rosu

Model Checking Software Using The Bogor Framework

Over-Approximating Boolean Programs with Unbounded Thread Creation

An explicit state model checker

A Refinement Calculus for Promela

Introduction to Data Structure

The Bogor Model Checking Framework

Presentation transcript:

An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer John Hatcliff Principal Investigators Support ARO CIP/SW URI award DAAD DARPA/AFRL project AFRL-F C-3044 NSF SEL Program under Award CCR Students Robby

Model Checking-based Analyses Given a finite-state model and property specifications Explores all possible states that are reachable from the initial state and check the properties For concurrent programs, explore all possible interleavings of threads Needs to remember all states that are visited for termination

Model Checking-based Analyses Rich-class of correctness properties Precise semantic reasoning Relative to typical static analyses Pros Cons Scalability!

Issues in Model Checking Desperately need all reduction techniques one can think of Reducing the number of interleavings that are considered (e.g., slicing, POR) Reducing the number of states that are explored (e.g., slicing, abstractions, symmetry) Reducing the number of bits needed to store the states (e.g., compression, collapse)

Issues in Model Checking — Experience with Existing Tools Significant experience using existing tools hand-crafted models as target of translation Clever mappings required to express artifact features, e.g., heap data for efficiency, e.g., symmetry reductions Often times additional state variables were needed to express events in state-based formalisms to state properties over extent of a reference type to implement scheduling policies

Issues in Model Checking Need complete control on all aspects of a model checker Efficient mapping of software artifact onto model checking framework To implement the reduction techniques Rapid prototyping

Issues in Model Checking — Custom Model Checkers Modifying a model checker is daunting dSpin (Iosif) SMV (Chan) Building a custom model checker is a point-solution JPF, SLAM, … Tool-kits don’t yield optimized checkers NuSMV, Concurrency Factory, “The Kit”, … Bogor incorporates the advantages of each of these approaches

We would like …. Rich core input language for modeling dynamic and concurrent system Extensible input language Minimizes syntactic modification when extending Minimizes effort for customized semantics Highly-capable core checker State-of-the-art reduction algorithms Customizable checker components Eases specialization or adaptation to a particular family of software artifacts Domain-experts with some knowledge of model checking can customize the checker on their own

Rich Input Language Built on guarded-assignment language Natural to model concurrent system Features to support dynamic, concurrent software artifacts Dynamic creation of threads and objects Automatic memory management (ala Java) Inheritance, exceptions, (recursive) functions Type-safe function pointers

Extensible Input Language Allow model checker input language to directly support natural domain abstractions For example, chan in Promela Hides intricate details of how a communication channel is implemented Only focuses on the behavior of the channel that is relevant, e.g., synchronous, rendezvous, etc. Fewer details of states that need to be stored, and possibly less states that needs to be explored Syntax does not need to change, and new abstractions can be added on demand

Extensible Input Language — Resource Contention Example Process#1 Process#3 Process#2 Process#4 acquire release Resource Pool

Extensible Input Language — Resource Contention Example Process#1 Process#3 Process#2 Process#4 acquire Resource Pool

Extensible Input Language — Resource Contention Example Process#1 Process#3 Process#2 Process#4 release Resource Pool How do we represent the resource pool if we are checking for example deadlock? How do we encode the representation in the model?

Extensible Input Language — Set Extension Example (Syntax) Bogor allows new abstract types and abstract operations as first-class construct

Extensible Input Language — Set Extension Example (Semantics) public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type Reuse Java collection to implement set Wrapper for add operation Constructs a bit vector that represents the set instead of encoding the HashSet instance Constructs a bit vector that represents the set instead of encoding the HashSet instance

Extensible Input Language — Set Extension Example (Semantics) R GB Suppose the references to resources are represented as integers R, G, B The state of the set consists of encodings of the references to resources And ordered!

Extensible Input Language — Observable Extension Example Expression/action extensions can: be non-deterministic have access to all the information in the current state and all previous states in the DFS stack Easy to express predicates/functions over dynamic data e.g., non-deterministically choose a reachable heap instance from a given reference

Extensible Input Language — Observable Extension Example (Syntax) An invariant example using Bogor function expressions Function expressions can be recursive … …

Extensible Input Language — Observable Extension Example (Semantics) public IValue forAll(IExtArguments arg) { String predFunId =.. MySet set = (MySet) arg.getArgument(1); IValue[] els = set.elements(); for (int i = 0; i < els.length; i++) { IValue val = ee.evaluateApply(predFunId, new IValue[] {els[i] }); if (isFalse(val)) return getBooleanValue(false); } return getBooleanValue(true); }

Highly Capable Core Checker Bogor implements state-of-the-art reduction techniques State reductions [Robby-al ‘03] Collapse compression (based on Holzmann ‘97) Heap symmetry (based on Iosif ‘02) Thread symmetry (based on Bosnacki ‘02) Interleaving reductions [Dwyer-al ‘03] Partial order reductions (based on Clarke-al ‘93)

Verified Counter Example Lexer Parser Type Checking Semantic Analyses IExpEvaluatorITransformer ISearcher IActionTakerIBacktrackIF IStateMgr IValueFactoryISchedulingStg IStateFactory.bir.config Customizable Architecture

Assessment Dynamic Escape Analysis for POR (150 LOC, 20x) Rich-forms of heap quantification Dynamic atomicity (5 LOC, 5x) Middle-ware model Priority Scheduling (200 LOC, 10x) Relative-time environment (10x) Lazy-time environment (240 LOC, 100x) Quasi-cyclic search (200 LOC, 100x)

Tool Availability (Summer ’03)