Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dynamic Component Substitutability Analysis Edmund Clarke Natasha Sharygina* Nishant Sinha Carnegie Mellon University The University of Lugano.

Published byChester Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "Dynamic Component Substitutability Analysis Edmund Clarke Natasha Sharygina* Nishant Sinha Carnegie Mellon University The University of Lugano."— Presentation transcript:

1 Dynamic Component Substitutability Analysis Edmund Clarke Natasha Sharygina* Nishant Sinha Carnegie Mellon University The University of Lugano

2 Motivation Model checking is a highly time consuming, labor intensive effort For example, a system of 25 components (~20K LOC) and 100+ properties might take up to a month of verification effort Discourages its widespread use when system evolves

3 Software Evolution Software evolution is inevitable in any real system: – Changing requirements – Bug fixes – Product changes (underlying platform, third- party,etc.)

4 Substitutability Check Assembly A Component C Component C’ P ?

5 Motivation Component-based Software –Software modules shipped by separate developers –Undergo several updates/bug-fixes during their lifecycle Component assembly verification –Necessary on upgrade of any component –High costs of complete global verification –Instead check for substitutability of new component

6 Substitutability Check Incremental in nature Two phases: –Containment check All local behaviors (services) of the previous component contained in new one –Compatibility check Safety with respect to other components in assembly: all global specifications still hold

7 Containment, Compatibility Duality Component C Containment Check (local) Compatibility Check (global) Identical Behaviors New Behaviors Lost Behaviors Upgraded Component C’

8 Substitutability Check Approaches –Obtain a finite behavioral model of all components by abstraction: Labeled Kripke structures –Containment: Use under- and over- approximations –Compatibility: Use dynamic assume-guarantee reasoning

9 Predicate Abstraction into LKS Labeled Kripke Structures – Composition semantics –Synchronize on shared actions Represents abstractions p !q q    !p C Component Component LKS Abstraction Predicate Abstraction

10 Component Assembly A set of communicating concurrent C programs –No recursion, procedures inlined Each component abstracted into a Component LKS –Communication between components is abstracted into interface actions C1C1 C2C2 C3C3 M1M1 M2M2 M3M3 Component Assembly C Abstraction M Predicate Abstraction

11 Predicate Abstraction into LKS L1 lock = 0 if (x < y) lock=1 x < y if (x >= y) lock = 0 x < y if (x < y) x >= y lock=1 void OSSemPend(…) { L1: lock = 1; if (x < y) { L2: lock = 0; … } if (x >= y) { … L3: lock = 0; … } else { … } L2  if (x >= y) x >= y   L3 

12 Containment Check Goal: Check C µ C’ –All behaviors retained after upgrade –Cannot check directly: need approximations Idea: Use both under- and over- approximations Solution: –Compute M: C µ M –Compute M’: M’ µ C’ –Check for M µ M’ C Containment Check Identical NewLost C’

13 Containment (contd.) CC’ M M’ over-approxunder-approx µ ? True C µ C’ False, CE CE 2 C ? False, Refine M CE 2 C’ ? True, Refine M’ C * C’, CE provided as feedback False True M C C’ M’

14 Containment (contd.) Computing over-approximation –Conventional predicate abstraction Computing under-approximation –Modified predicate abstraction –Compute Must transitions instead of May

15 Compatibility Check C Identical NewLost C’ Assume-guarantee to verify assembly properties Automatically generate assumption A –Cobleigh et. al. at NASA Ames Use learning algorithm for regular languages, L* M 1 || A ² P M 2 ² A M 1 || M 2 ² P AG - Non Circular Goal: Reuse previous verification results

16 L* learner Learning Regular languages: L* Proposed by D. Angluin, improved by Rivest et al. –Learning regular sets from queries and counterexamples, Information and Computation, 75(2), 1987. Polynomial in the number of states and length of max counterexample Minimally adequate Teacher IsMember( trace  ) IsCandidate( DFA D ) a b a b Unknown Regular Language ±Counterexample/ Yes Modelchecker Yes/No Minimum DFA

17 Learning for Verification Model checker as a Teacher –Possesses information about concrete components –Model checks and returns true/counterexample Learner builds a model sufficient to verify properties Relies on both learner and teacher being efficient Finding wide applications –Adaptive Model Checking: Groce et al. –Automated Assume-Guarantee Reasoning: Cobleigh et al. –Synthesize Interface Specifications for Java Programs: Alur et al. –Regular Model Checking: Vardhan et al., Habermehl et al.

18 Compatibility Check R 1 : M 1 || A ² P R 2 : M 2 ² A true L* Assumption Generation A CE CE Analysis Actual CE M 1 || M 2 2 P -CE for A +CE for A Teacher M 1 || M 2 ² P true

19 Handling Multiple Components AG-NC is recursive –(Cobleigh et al.) R 1 : M 1 || A ² P R 2 : M 2 ² A M 1 || M 2 ² P M 1 k A 1 ² P M 2 k A 2 ² A 1 M 3 ² A 2 M 2 k M 3 ² A 1 M 1 k M 2 k M 3 ² P Each A i computed by a separate L* instantiation

20 Compatibility of Upgrades Suppose assumptions are available from the old assembly Dynamic AG: Reuse previous verification results C Identical NewLost C’ Can we reuse previous assumptions directly? NO: upgrades may change the unknown U to be learned Requires Dynamic L* M 1 k A 1 ² P M 2 ² A 1 M 1 k M 2 ² P M’ 1 k A’ 1 ² P M 2 ² A’ 1 M’ 1 k M 2 ² P Upgrade Reuse?

21 Dynamic L* Learn DFA A corresponding to U Unknown language U changes to U’ Goal: Continue learning from previous model A Central Idea: Re-validate A to A’ which agrees with U’

22 Dynamic L* L* maintains a table data-structure to store samples Definition: Valid Tables –All table entries agree with U Theorem –L* terminates with any valid observation table, OT When U changes to U’, –Suppose the last candidate w.r.t. U is A –Re-validate OT of A w.r.t. U’ –Obtain A’ from OT’ –Continue learning from A’

23 Dynamic AG M 1 k A 1 ² P M 2 ² A 1 M 1 k M 2 ² P M’ 1 k A’ 1 ² P M 2 ² A’ 1 M’ 1 k M 2 ² P Re-Validate! and Reuse Upgrade

24 Implementation Comfort framework – explicit model checker Industrial benchmark –ABB Inter-process Communication (IPC) software –4 main components – CriticalSection, IPCQueue, ReadMQ, WriteMQ Evaluated on single and simultaneous upgrades – WriteMQ and IPCQueue components Properties –P 1 : Write after obtaining CS lock –P 2 : Correct protocol to write to IPCQueue

25 Experimental Results Upgrade# (Property) #Mem QueriesT orig (msec)T ug (msec) Ipc 1 (P 1 ) 279226013 Ipc 1 (P 2 ) 308169414 Ipc 2 (P 1 ) 358328617 Ipc 2 (P 2 ) 23280510 Ipc 3 (P 1 ) 363362417 Ipc 3 (P 2 ) 258164914 Ipc 4 (P 1 ) 355110224

26 ComFoRT Schema Verification Yes System OK Abstraction Model Counterexample Valid? System Abstraction Guidance Yes No Counterexample Abstraction Refinement Improved Abstraction Guidance No Spurious Counterexample Dynamic Assume-Guarantee Reasoning

27 Conclusion Automated Substitutability Checking –Containment and Compatibility –Reuses previous verification results –Handles multiple upgrades –Built upon CEGAR framework Implementation –ComFoRT framework –Promising results on an industrial example

28 Future Directions Symbolic analysis, i.e., using SATABS Assume-Guarantee for Liveness Other AG Rules, e.g., Circular Combining static analysis with dynamic testing for facilitate abstraction and learning

29 Ph.D. position is open New EU project on verification of evolving networked software –Collaboration with IBM, ABB, VTT, Uni Milano and Oxford

Download ppt "Dynamic Component Substitutability Analysis Edmund Clarke Natasha Sharygina* Nishant Sinha Carnegie Mellon University The University of Lugano."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
October 29, 2004SAVCBS04 Presented by: Gaoyan Xie CTL Model-checking for Systems with Unspecified Components Gaoyan Xie and Zhe Dang School of Electrical.

October 29, 2004SAVCBS04 Presented by: Gaoyan Xie CTL Model-checking for Systems with Unspecified Components Gaoyan Xie and Zhe Dang School of Electrical.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.

Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Justification-based TMSs (JTMS) JTMS utilizes 3 types of nodes, where each node is associated with an assertion: 1.Premises. Their justifications (provided.

Justification-based TMSs (JTMS) JTMS utilizes 3 types of nodes, where each node is associated with an assertion: 1.Premises. Their justifications (provided.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.

Automated assume-guarantee reasoning for component verification Dimitra Giannakopoulou (RIACS), Corina Păsăreanu (Kestrel) Automated Software Engineering.
Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.

Software Verification via Refinement Checking Sagar Chaki, Edmund Clarke, Alex Groce, CMU Somesh Jha, Wisconsin.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.

A … Framework for Verifying Concurrent C Programs Sagar Chaki Thesis Defense Talk.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

Similar presentations

Ads by Google