Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin."— Presentation transcript:

1 Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin

2 Projects and Personnel University of Wisconsin –Anne Mulhern –Alexey Loginov Tel-Aviv University –Prof. Mooly Sagiv –Eran Yahav –Noam Rinetzky –Greta Yorsh University of Saarbrücken –Prof. Reinhard Wilhelm

3 Verifying Behavioral Subtyping Anne Mulhern Inheritance of code vs. inheritance of behavior Liskov Substitution Principle: For every object x ’ of type t ’ there is an object x of type t, such that for all programs P defined in terms of t, the behavior of P is unchanged when x ’ is substituted for x. [Liskov 1988] Not enforced by compilers Goal: Build a tool that provides some amount of checking

4 Why? class FooNode { FooNode next;...  many data members ... }; class Foo { FooNode first; FooNode last; AppendElmt(Datum);...  many members ... }; class ListNode { ListNode next; }; class List { ListNode first; ListNode last; AddToEnd(); }; ??

5 Abstraction Refinement for TVLA/TVMC Alexey Loginov Identify additional abstraction predicates –Nullary? Unary? –Both can be used to refine an abstraction Need to be able to automatically create update formulas –Finite differencing of formulas [Reps, Sagiv] Semantic minimization of formulas

6 Semantic Minimization    (A): Value of formula  in assignment A In 3-valued logic,    (A) may equal ½  p + p ’  ([p  0]) = 1  p + p ’  ([p  ½]) = ½  p + p ’  ([p  1]) = 1

7 Two- vs. Three-Valued Logic 01 Two-valued logic {0,1} {0}{1} Three-valued logic {0}  {0,1} {1}  {0,1}

8 Two- vs. Three-Valued Logic Two-valued logicThree-valued logic

9 Two- vs. Three-Valued Logic Three-valued logic 0 1 Two-valued logic {1} {0,1} {0} 1 ½ 0

10 Two- vs. Three-Valued Logic 01 Two-valued logic {0}{1} Three-valued logic {0,1}

11 Two- vs. Three-Valued Logic 01 Two-valued logic ½ 01 Three-valued logic 0  ½ 1  ½

12 1: True 0: False 1/2: Unknown A join semi-lattice: 0  1 = 1/2 Three-Valued Logic   1/2 Information order

13 Boolean Connectives [Kleene]

14 Semantic Minimization    (A): Value of formula  in assignment A In 3-valued logic,    (A) may equal ½  p + p ’  ([p  0]) = 1  p + p ’  ([p  ½]) = ½  p + p ’  ([p  1]) = 1

15 Semantic Minimization    (A): Value of formula  in assignment A In 3-valued logic,    (A) may equal ½  p + p ’  ([p  0]) = 1  p + p ’  ([p  ½]) = ½  p + p ’  ([p  1]) = 1 However,  1  ([p  0]) = 1  1  ([p  ½]) = 1  1  ([p  1]) = 1

16 Semantic Minimization  1  ([p  0]) = 1 =  p + p ’  ([p  0])  1  ([p  ½]) = 1  ½ =  p + p ’  ([p  ½])  1  ([p  1]) = 1 =  p + p ’  ([p  1]) 2-valued logic: 1 is equivalent to p + p ’ 3-valued logic: 1 is better than p + p ’ For a given , is there a best formula? Yes!

17 Semantic Minimization Input: Propositional formula  Output: Propositional formula  such that For all 3-valued assignments A,    (A) =     (a) a  A, a definite By the monotonicity of    (),    (A) =     (a)     (A) a  A, a definite

18 Example Original formula (  ) xy ’ + x ’ z ’ + yz (Note:  is an irredundant sum of products) Minimal formula (  ) y ’ z ’ + yz + x ’ z ’ + x ’ y + xz + xy ’   (x ’ y ’ z + xyz ’ ) For which A’s do we have    (A)     (A)? A    (A)    (A) [x  ½, y  0, z  0] 1 ½ [x  0, y  1, z  ½] 1 ½ [x  1, y  ½, z  1] 1 ½

19 TVMC: A 3-Valued Model Checker Eran Yahav Programming-language features –concurrency –unbounded #’s of threads –pointers/aliasing –unbounded #’s of heap-allocated cells Properties to be checked –FOLTL (LTL + quantification) –Safety properties –Liveness properties (at least some forms...)

20 Java Threads Are Heap-Allocated Objects  Thread Analysis  Shape Analysis A memory configuration: thread3 inCritical lock1 isAcquired thread1 atStart thread2 atStart thread4 atStart csLock heldBy

21 An abstract memory configuration: thread inCritical lock1 isAcquired thread ’ atStart csLock heldBy Java Threads Are Heap-Allocated Objects  Thread Analysis  Shape Analysis

22 Here, model checking means: Explore the space of possible transitions among abstract memory configurations Java Threads Are Heap-Allocated Objects  Thread Analysis  Shape Analysis

23 Analysis of ADTs Noam Rinetzky Analysis of ADTs (classes) and their clients Objects summarized by finite-state machines obtained via shape-analysis Example: –Class Queue –Four states of a Queue object: Not allocated Empty Non-empty Error

24 Analysis of Trees Greta Yorsh Shape analysis of tree-manipulation programs –Binary-search-tree operations –Deutsch-Schorr-Waite tree traversal without a stack Challenges –Garbage-collection marking algorithm that uses Deutsch-Schorr-Waite graph traversal (DSW tree traversal of depth-first-search tree) –Barnes-Hut: uses an oct-tree with chained leaves Improved materialization algorithm for TVLA

Download ppt "Model Checking of Concurrent Software: Current Projects Thomas Reps University of Wisconsin."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Program Analysis and Verification 0368-4479

Program Analysis and Verification
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, 14.2.1 – 14.2-2) Hao Zheng U of South Florida.

Introduction to Embedded Systems Chapter 14 Reachability Analysis (14.1, – ) Hao Zheng U of South Florida.
Graphs Graphs are the most general data structures we will study in this course. A graph is a more general version of connected nodes than the tree. Both.

Graphs Graphs are the most general data structures we will study in this course. A graph is a more general version of connected nodes than the tree. Both.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.

1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.

Inferring Synchronization under Limited Observability Martin Vechev Eran Yahav Greta Yorsh IBM T.J. Watson Research Center.
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
Local Heap Shape Analysis Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly.

Local Heap Shape Analysis Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Similar presentations

Ads by Google