Development of Formally Verified Erlang Programs a case study Thomas Arts Clara Benac Earle Computer Science Lab Stockholm, Sweden.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Distributed Mutual Exclusion.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Thomas Arts Industrial Use of a Functional Language Thomas Arts Ericsson Computer Science Laboratory Stockholm, Sweden

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

CS 290C: Formal Models for Web Software Lecture 4: Implementing and Verifying Statecharts Specifications Using the Spin Model Checker Instructor: Tevfik.

Multiprocessor Synchronization Algorithms ( ) Lecturer: Danny Hendler The Mutual Exclusion problem.

LIFE CYCLE MODELS FORMAL TRANSFORMATION

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (

Ordering and Consistent Cuts Presented By Biswanath Panda.

Banker’s Algorithm Implementation in CPN Tools Michal Žarnay Department of Transportation Networks University of Žilina, Slovakia.

Computer Science Lecture 12, page 1 CS677: Distributed OS Last Class Distributed Snapshots –Termination detection Election algorithms –Bully –Ring.

Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

ESE601: Hybrid Systems Introduction to verification Spring 2006.

EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

1 Software Testing and Quality Assurance Lecture 5 - Software Testing Techniques.

Computer Science Lecture 12, page 1 CS677: Distributed OS Last Class Vector timestamps Global state –Distributed Snapshot Election algorithms.

Software Testing and QA Theory and Practice (Chapter 10: Test Generation from FSM Models) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 10 Slide 1 Formal Specification.

in collaboration with University of Kent Clara Benac Earle SICS Mads Dam Lars-Åke Fredlund Dilian Gurov Gena Chugunov CWI Izak van Langevelde Wan Fokkink.

1 Thread Synchronization: Too Much Milk. 2 Implementing Critical Sections in Software Hard The following example will demonstrate the difficulty of providing.

A Simple Method for Extracting Models from Protocol Code David Lie, Andy Chou, Dawson Engler and David Dill Computer Systems Laboratory Stanford University.

CCS APPS CODE COVERAGE. CCS APPS Code Coverage Definition: –The amount of code within a program that is exercised Uses: –Important for discovering code.

VeriFlow: Verifying Network-Wide Invariants in Real Time

4.5 DISTRIBUTED MUTUAL EXCLUSION MOSES RENTAPALLI.

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

System Model Deadlock Characterization Methods for Handling Deadlocks Deadlock Prevention, Avoidance, and Detection Recovering from Deadlock Combined Approach.

Computer Science Lecture 12, page 1 CS677: Distributed OS Last Class Vector timestamps Global state –Distributed Snapshot Election algorithms –Bully algorithm.

BE-SECBS FISA 2003 November 13th 2003 page 1 DSR/SAMS/BASP IRSN BE SECBS – IRSN assessment Context application of IRSN methodology to the reference case.

Refining middleware functions for verification purpose Jérôme Hugues Laurent Pautet Fabrice Kordon

Presenter: Long Ma Advisor: Dr. Zhang 4.5 DISTRIBUTED MUTUAL EXCLUSION.

Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-6 Deadlocks Department of Computer Science and Software Engineering.

1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.

Safety-Critical Systems 5 Testing and V&V T

Eliminating Overlapping in Pattern Matching when Verifying Erlang Programs in muCRL Qiang Guo and John Derrick Department of Computer Science The University.

Software Testing. Software testing is the execution of software with test data from the problem domain. Software testing is the execution of software.

1 Introduction to Software Testing. Reading Assignment P. Ammann and J. Offutt “Introduction to Software Testing” ◦ Chapter 1 2.

Java Basics Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.

Parameterized Models for Distributed Java Objects Tomás Barros & Rabéa Boulifa OASIS Project INRIA Sophia Antipolis April 2004.

2015 Concurrency: logical properties 1 ©Magee/Kramer 2 nd Edition Chapter 14 Logical Properties Satisfied? Not satisfied?

Verification & Validation By: Amir Masoud Gharehbaghi

Author Software Engineering Institute

Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-5 Process Synchronization Department of Computer Science and Software.

An Efficient and Fault-Tolerant Solution for Distributed Mutual Exclusion by D. Agrawal, A.E. Abbadi Presentation by Peter Tsui for COEN 317, F/03.

Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.

CIS 725 Lecture 2. Finite State Machine Model FSM = (A, S, T, s 0 ) A = set of actions S = set of states s 0 = initial states T = transition relation.

1 CS.217 Operating System By Ajarn..Sutapart Sappajak,METC,MSIT Chapter 6 Deadlocks Slide 1 Chapter 6 Deadlocks.

Distributed Mutual Exclusion Synchronization in Distributed Systems Synchronization in distributed systems are often more difficult compared to synchronization.

Mutual Exclusion Algorithms. Topics r Defining mutual exclusion r A centralized approach r A distributed approach r An approach assuming an organization.

Basic concepts of Model Checking

Development of Formally Verified Erlang Programs a case study

Software Testing.

Concurrency Specification

Modeling Mutual Exclusion Algorithms

Using Formal Coverage Analyzer for Code Coverage improvement

Model Checking Concurrent Systems – An Example: Mutual Exclusion

Verifying GME with JPF COSC6490A Zhenyu Pan York University 2007.

Industrial Use of a Functional Language

Presentation transcript:

Development of Formally Verified Erlang Programs a case study Thomas Arts Clara Benac Earle Computer Science Lab Stockholm, Sweden

Research question how can we identify the hard-to-find errors in the code? can formal methods help in finding errors not uncovered by testing?

AXD 301 Architecture CP Switch Core DPDP DPDP DPDP DPDP DPDP DPDP DPDP AXD 301 Call setup

AXD 301 Architecture CP Switch Core DPDP DPDP DPDP DPDP DPDP DPDP DPDP CP OM CP OM CP OM CC CP CC OM AXD 301 fault tolerance

CP CC CP CC CP Switch Core DPDP DPDP DPDP DPDP DPDP DPDP DPDP CP OM CP OM CP OM CP CC OM CP OM CP CC CP CC node OM node app Billing application Take over

CP CC node OM node Billing application app Take over take over

CP OM node app CP CC node OM node Billing application app Take over

Application lock During take over the respective application should not be used. distributed resource locker with shared and exclusive locks

CLIENTSRESOURCES A C B LOCKER CLIENT 1 CLIENT 2 CLIENT 3 ok {request,[A],shared} ok {request,[A],exclusive} ok {release} done {release} done {request,[A,B],shared} C1 C2 C3

example -module(client). start_link(Locker) -> {ok,spawn_link(loop,[Locker])}. loop(Locker) -> gen_server:call(Locker,request), critical(), gen_server:call(Locker,release), loop(Locker).

example start_link() -> gen_server:start_link(locker,[],[]). init([]) -> {ok,[]}. handle_call(request,Client,Pending)-> case Pending of [] -> {reply, ok, [Client]}; _ -> {noreply, Pending ++ [Client]} end; handle_call(release, Client, [_|Pending]) -> case Pending of [] -> {reply, done, []}; _ -> gen_server:reply(hd(Pending), ok), {reply, done, Pending} end.

Supervisor processes standard supervision structure can be used to obtain initialization information for transition diagram supervisor locker gen_server client start supervision tree with 5 clients supervisor:start(locker_sup,start,[5]).

Testing versus Verification Thus, for one input, 100% coverage with verification testing: many program runs on different input verification: all runs on different input verify:allruns(locker_sup,start,[8]).

Mutual exclusion (at most one client has access to resource) -module(client). start_link(Locker) -> {ok,spawn_link(loop,[Locker])}. loop(Locker) -> gen_server:call(Locker,request), critical(), gen_server:call(Locker,release), loop(Locker). io:format(“enter cs~n”), critical(), io:format(“exit cs~n”), erlang:trace for gen_server:call

testing io client 2client 1 enter cs exit cs enter cs exit cs enter cs exit cs

Verification: generate State Space clients states transitions

Erlang -> transitions start verification with 2 clients verify:allruns(locker_sup,start,[2]) our Tool locker.erl client.erl locker_sup.erl client_sup.erl our Tool our Tool our Tool our Tool EtoE rest tool locker.erl client.erl init.erl instantiation

Erlang -> transitions start verification with 2 clients etomcrl:instantiator(locker_sup,start,[2]) locker.erl client.erl locker_sup.erl client_sup.erl locker.erl client.erl init.erl instantiation tomcrl.erl instantiation EtoE rest tool EtoPmcrl

Erlang -> transitions locker.erl client.erl locker_sup.erl client_sup.erl instantiation tomcrl.erl instantiation EtoE rest tool EtoPmcrl rest tool CWI tool instantiator locker.mCRL toMCRL start verification with 2 clients etomcrl:instantiator(locker_sup,start,[2]) locker.erl client.erl init.erl

Erlang -> transitions locker.erl client.erl locker_sup.erl client_sup.erl instantiation tomcrl.erl instantiation EtoE rest tool EtoPmcrl CWI tool instantiator locker.mCRL toMCRL start verification with 2 clients etomcrl:instantiator(locker_sup,start,[2]) locker.erl client.erl init.erl Aldebaran locker.aut

State Space analysis simulation with backtrack possibilities find execution sequence deadlock check states in the graph without out-arrow property check such as mutual exclusion

State Space analysis Between two handle_call(request,_,_) there should be a handle_call(release,_,_). [-*,“ handle_call(request,_,_) ”, (not “ handle_call(release,_,_) ”)*, “ handle_call(request,_,_) ” ]false Properties are specified as regular expressions over Erlang function calls in combination with [] and <> operators. After a gen_server:call(locker, request) there is always a gen_server:call(locker,release) possible. [-*,“ gen_server:call(locker, request) ”] true

Conclusions We developed software to verify properties of Erlang programs We verified a resource locker program featuring multiple resources with shared and exclusive access (upto 6 clients in many different configurations) State space upto a million states (several techniques to reduces state space if property is given) Working on addition of Erlang constructs to cover more of the language (fault tolerance handling, gen_fsm)