Tools for Automated Verification of Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara [email protected]

Tools for Automated Verification of Concurrent Software

Tevfik Bultan

Department of Computer Science

University of California, Santa Barbara

[email protected]

http://www.cs.ucsb.edu/~bultan/

http://www.cs.ucsb.edu/~bultan/composite/

Summary

• Goal: Reliable concurrent programming• Sub-goals:

– Developing reliable concurrency controllers in Java– Developing reliable concurrent linked lists

• Approach: Model Checking– Refined Approach: Composite Model Checking

• Specification Language: Action Language• Tools:

– Composite Symbolic Library– Action Language Verifier

Students

Joint work with my students:• Tuba Yavuz-Kahveci• Constantinos Bartzis• Xiang Fu (co-advised with Jianwen Su)• Aysu Betin-Can

Outline

• Difficulties in concurrent programming • A short history of model checking

– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work

Difficulties in Concurrent Programming

• Concurrent programming is difficult and error prone– In sequential programming you only worry about the

states of the variables– In concurrent programming you also have to worry about

the states of the threads

• State space increases exponentially with the number of threads

Concurrent Programming in Java

• Java uses a variant of monitor programming

• Synchronization using locks– Each object has a locksynchronized(o) { ... }

• Coordination using condition variables– Objects can be used as condition variablessynchronized (condVar){ while (!condExp) wait(condVar); ... notifyAll(condVar); }

Dangers in Java Concurrency

• Nested locks

synchronized m(other) {

other.m();

}

Thread1: run() { o1.m(o2); }

Thread2: run() { o2.m(o1); }

o1 lock o2lock

Thread1 Thread2

Dangers in Java Concurrency

• Missed notification

notify(condVar);

• Forgotten condition check

if(!condExp) wait(condVar);

• Dependency among multiple condition variables can be complicated– Conservative notification and condition check

Inefficient– Optimizing the notification and condition checks

Error prone

A simplified model of Seattle Tacoma International Airport from [Zhong 97]A simplified model of Seattle Tacoma International Airport from [Zhong 97]

Example: Airport Ground Traffic Control Simulation

Control Logic

• An airplane can land using 16R only if no airplane is using 16R at the moment

• An airplane can takeoff using 16L only if no airplane is using 16L at the moment

• An airplane taxiing on one of the exits C3-C8 can cross runway 16L only if no airplane is taking off at the moment

• An airplane can start using 16L for taking off only if none of the crossing exits C3-C8 is occupied at the moment (arriving airplanes have higher priority)

• Only one airplane can use a taxiway at a time

Java Implementation

• Simulate behavior of each airplane with a thread

• Use a monitor (a Java class) – private variables for number of airplanes on each runway

and each taxiway– methods of the monitor enforce the control logic

• Each thread calls the methods of the monitor based on the airport layout to move from one point to the next

Example Implementation

public synchronized void C8_To_B11A() {

while (!((numRW16L == 0) && (numB11A == 0)))

wait();

numC8 = numC8 - 1;

numB11A = numB11A + 1;

notifyAll();

}

• This code is not efficient since every thread wakes up every other thread

• Using separate condition variables complicates the synchronization – nested locks

Difficulties In Implementing Concurrent Linked Lists

• Linked list manipulation is difficult and error prone– State of the heap: unbounded

• State space:– Sequential programming

• states of the variables– Concurrent programming

• states of the variables • states of the threads

– Concurrent linked lists• states of the variables • states of the threads • state of the heap

Examples

• singly linked lists

• doubly linked lists

• stack

• queue

• single lock

• double lock– allows concurrent inserts and deletes

nextnext

nextnextn1n1 n2n2

prevprev nextnextn1n1 n2n2

nextnext

prevprev

nextnextnextnext

n1n1 n2n2toptop

nextnext nextnextn1n1 n2n2firstfirstlastlast

Outline of Our Approach

1. Specify concurrency controllers and concurrent linked lists in Action Language

2. Verify their properties using composite model checking

3. Generate Java classes from the specifications which preserve their properties

Action Language Tool Set

Action LanguageAction LanguageParserParser

Action LanguageAction LanguageVerifierVerifier

Code GeneratorCode Generator Omega Omega LibraryLibrary

CUDDCUDDPackagePackage

Verified code Verified code (Java monitor classes)(Java monitor classes)

MONAMONA

Composite Symbolic LibraryComposite Symbolic Library

PresburgerPresburgerArithmeticArithmeticManipulatorManipulator

BDDBDDManipulatorManipulator

AutomataAutomataManipulatorManipulator

Action LanguageAction LanguageSpecificationSpecification

Outline

• Difficulties in concurrent programming • A short history of model checking in 7 slides


Idea 1: Temporal Logics for Reactive Systems [Pnueli FOCS 77, TCS 81]

Transformational systems get input;

compute something;

return result;

Reactive systems while (true) {

receive some input,

send some output

}

For reactive systems • termination is not relevant• pre and post-conditions are not

enough

Temporal Logics• Invariant p (G p, AG p, p)• Eventually p (F p, AF p, p)• Next p : (X p, AX p, p)• p Until q : ( p U q, A(p U q) )

.

.

....

AF(p), EG(p)F(p)

p

p p

p

G(p)LTL CTL

p

p

p

p

p

p

p

Branching vs. Linear Time

.

.

....

.

.

.

Idea 2: Automated Verification of Finite State Systems [Clarke and Emerson 81], [Queille and Sifakis 82]

Transition Systems• S : Set of states (finite)• I S : Set of initial states• R S S : Transition relation

Model checking problem: Given a temporal logic property, does the transition system satisfy the property?– Complexity: linear in the size

of the transition system

Verification vs. Falsification

Verification:

show: initial states truth set of p

Falsification:

find: a state initial states truth set of p

generate a counter-example starting from that state

Idea 3: Temporal Properties Fixpoints [Emerson and Clarke 80]

• • •• • •ppInitialInitialstatesstates

initial states that satisfy EF(initial states that satisfy EF(pp))

initial states that violate AG(initial states that violate AG(pp))

EF(EF(pp)) states that can reach states that can reach p p p p Pre( Pre(pp)) Pre(Pre( Pre(Pre(pp)) )) ......

• • •• • • EG(EG(p)p) InitialInitialstatesstates

initial states that satisfy EG(initial states that satisfy EG(p)p) initial states that violate AF(initial states that violate AF(pp))

EG(EG(pp)) states that can avoid reaching states that can avoid reaching pp p p Pre( Pre(pp)) Pre(Pre( Pre(Pre(pp)))) ......

EF(EF(pp))

Idea 4: Symbolic Model Checking[McMillan et al. LICS 90]

• Represent sets of states and the transition relation as Boolean logic formulas

• Fixpoint computation becomes formula manipulation– pre and post-condition computations: Existential variable

elimination– conjunction (intersection), disjunction (union) and

negation (set difference), and equivalence check

• Use an efficient data structure – Binary Decision Diagrams (BDDs)

Tool 1: SMV [McMillan 93]

• BDD-based symbolic model checker • Finite state• Temporal logic: CTL• Focus: hardware verification

– Later applied to software specifications, protocols, etc.• SMV has its own input specification language

– concurrency: synchronous, asynchronous – shared variables– boolean and enumerated variables– bounded integer variables (binary encoding)

• SMV is not efficient for integers, can be fixed

Idea 5: LTL Properties Büchi automata [Vardi and Wolper LICS 86]

• Büchi automata: Finite state automata that accept infinite strings

• A Büchi automaton accepts a string when the corresponding run visits an accepting state infinitely often

• The size of the property automaton can be exponential in the size of the LTL formula

G pp p

true

F p pp

true

G (F p) true p

true

Tool 2: SPIN [Holzmann 91, TSE 97]

• Explicit state, finite state• Temporal logic: LTL• Input language: PROMELA

– Asynchronous processes – Shared variables – Message passing through

(bounded) communication channels

– Variables: boolean, char, integer (bounded), arrays (fixed size)

• Property automaton from the negated LTL property

• Product of the property automaton and the transition system (on-the-fly)

• Show that there is no accepting cycle in the product automaton

• Nested depth first search to look for accepting cycles

• If there is a cycle, it corresponds to a counterexample behavior that demonstrates the bug

Model Checking Research

• These 5 key ideas and 2 key tools inspired a lot of research [Clarke, Grumberg and Peled, 99]

– efficient symbolic representations– partial order reductions– abstraction– compositional/modular verification– model checking infinite state systems (pushdown

automata)– model checking real time systems– model checking hybrid systems– model checking programs– ...

Outline



Action Language [Bultan, ICSE 00], [Bultan, Yavuz-Kahveci, ASE 01]

• A state based language– Actions correspond to state changes

• States correspond to valuations of variables– boolean– enumerated– integer (possibly unbounded)– heap variables (i.e., pointers)

• Parameterized constants – specifications are verified for every possible value of the

constant

Action Language

• Transition relation is defined using actions– Atomic actions: Predicates on current and next state

variables– Action composition:

• asynchronous (|) or synchronous (&)• Modular

– Modules can have submodules– A modules is defined as asynchronous and/or

synchronous compositions of its actions and submodules

Readers Writers Example

module main()integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;

module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;

endmodule

module Writer() ... endmodule

main: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])

endmodule

S S :: Cartesian product ofCartesian product of variable domains defines variable domains defines the set of statesthe set of states

I I : Predicates defining : Predicates defining the initial statesthe initial states

RR : Atomic actions of the : Atomic actions of the ReaderReader

RR : Transition relation of : Transition relation of Reader defined as Reader defined as asynchronous composition asynchronous composition of its atomic actionsof its atomic actions

RR : Transition relation of main defined as asynchronous : Transition relation of main defined as asynchronous composition of two Reader and two Writer processescomposition of two Reader and two Writer processes

Outline



Which Symbolic Representation to Use?

BDDs• canonical and efficient

representation for Boolean logic formulas

• can only encode finite sets

Linear Arithmetic Constraints• can encode infinite sets• two representations

– polyhedral representation– automata representation

• not efficient for encoding boolean domains

F

F

F

T

T

x y {(T,T), (T,F), (F,T)}

a > 0 b = a+1

{(1,2), (2,3), (3,4),...}

T

x

y

Composite Model Checking[Bultan, Gerber, League ISSTA 98, TOSEM 00]

• Map each variable type to a symbolic representation– Map boolean and enumerated types to BDD

representation– Map integer type to a linear arithmetic constraint

representation• Use a disjunctive representation to combine different

symbolic representations: composite representation• Each disjunct is a conjunction of formulas represented by

different symbolic representations– we call each disjunct a composite atom

Composite Representation

i tii

n

ipppP

...

211

symbolic rep. 1

symbolic rep. 2

symbolic rep. t

composite atom

Example:

x: integer, y: boolean

x>0 and x´x-1 and y´ or x<=0 and x´x and yý

arithmetic constraintrepresentation

BDD arithmetic constraintrepresentation

BDD

Composite Symbolic Library [Yavuz-Kahveci, Tuncer, Bultan TACAS01], [Yavuz-Kahveci, Bultan STTT]

• Uses a common interface for each symbolic representation

• Easy to extend with new symbolic representations

• Enables polymorphic verification

• Multiple symbolic representations:– As a BDD library we use Colorado University Decision

Diagram Package (CUDD) [Somenzi et al] – As an integer constraint manipulator we use Omega

Library [Pugh et al]

Composite Symbolic Library Class Diagram

CUDD Library OMEGA Library

Symbolic+intersect()

+union()+complement()+isSatisfiable()+isSubset()+pre()+post()

CompSym

–representation: list of comAtom

+intersect()+ union() • • •

BoolSym

–representation: BDD

+intersect()+union() • • •

IntSym

–representation: Polyhedra

+intersect()+union() • • •

compAtom

–atom: *Symbolic

Composite Symbolic Representation

b’

x: integer, y:boolean

x>0 and x´x-1 and y´ or x<=0 and x´x and yý

: CompSym

representation : List<compAtom>

: ListNode<compAtom> : ListNode<compAtom>

next :*ListNode<compAtom> next: *ListNode<compAtom>

data : compAtom data : compAtom

01

y´ x>0 and x´=x-1

01

y’=yx<=0 and x’=x

Pre and Post-condition Computation

Variables:x: integer, y: boolean

Transition relation:R: x>0 and x´x-1 and y´ or x<=0 and x´x and yý

Set of states: s: x=2 and !y or x=0 and !y

Compute post(s,R)

Pre and Post-condition Distribute

R: x>0 and x´x-1 and y´ or x<=0 and x´x and yý

s: x=2 and !y or x=0 and y

post(s,R) = post(x=2 , x>0 and x´x-1) post(!y , y´) x=1 y

post(x=2 , x<=0 and x´x) post (!y , yý) false !y

post(x=0 , x>0 and x´x-1) post(y , y´) false y

post (x=0 , x<=0 and x´x) post (y, yý ) x=0 y

= x=1 and y or x=0 and y

Polymorphic Verifier

Symbolic TranSys::check(Node *f) {

•

•

•

Symbolic s = check(f.left)

case EX:

s.pre(transRelation)

case EF:

do

sold = s

s.pre(transRelation)

s.union(sold)

while not sold.isEqual(s) •

•

•

}

Action Language Verifier Action Language Verifier is polymorphicis polymorphic

It becomes a BDD based model It becomes a BDD based model checker when there or no integer checker when there or no integer variablesvariables

Heuristics for Composite Representation[Yavuz-Kahveci, Bultan FroCos 02]

• Masking– compute operations on BDDs first– avoid redundant computations on integer part

• Incremental subset check– Exploit the disjunctive structure by computing subset

checks incrementally• Interleaving pre-condition computation with the subset

check in least-fixpoint computations• Simplification

– Reduce the number of disjuncts in the composite representation by iteratively merging matching disjuncts

Some Experiments

Problem Instance

All Heuristics

Time (sec) Memory (MB)

No Heuristics

Time (sec) Memory (MB)

Barber2-2 0.27 8.80 1327.82 464.14

Barber3-2 0.35 9.50

Bakery2i 0.21 7.80 5.52 94.66

Bakery3i 8.26 19.60

Lightcontrol 0.12 7.90 81.05 48.40

Without the simplification for 15 out of 39 problem instances the verifier ran out of memory

Outline



Application to Concurrency Controllers[Yavuz-Kahveci, Bultan ISTTA 02] [Betin-Can, Bultan SoftMC 03]

Outline of our approach:

1. Specify concurrency controllers and concurrent linked lists in Action Language

2. Verify their properties using composite model checking

3. Generate Java classes from the specifications which preserve their properties

Readers-Writers Controller

module main()integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;module Reader()

boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;

endmodulemodule Writer()

boolean writing;initial: !writing;wEnter: !writing and nr=0 and !busy and busy’ and writing’;wExit: writing and !writing’ and !busy’;Writer: wEnter | wExit;

endmodulemain: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])

endmodule

Arbitrary Number of Threads

• Counting abstraction– Create an integer variable for each local state of a

thread– Each variable will count the number of threads in a

particular state • Local states of the threads have to be finite

– Specify only the thread behavior that relates to the correctness of the controller

– Shared variables of the controller can be unbounded• Counting abstraction can be automated

Readers-Writers After Counting Abstraction

module main()integer nr;boolean busy;

parameterized integer numReader, numWriter;restrict: nr>=0 and numReader>=0 and numWriter>=0;initial: nr=0 and !busy;module Reader()

integer readingF, readingT;initial: readingF=numReader and readingT=0;rEnter: readingF>0 and !busy and nr’=nr+1 and readingF’=readingF-1 and

readingT’=readingT+1;rExit: readingT>0 and nr’=nr-1 readingT’=readingT-1

and readingF’=readingF+1;Reader: rEnter | rExit;

endmodulemodule Writer()

...endmodulemain: Reader() | Writer();spec: invariant([busy => nr=0])

endmodule

Variables introduced by the counting abstractions

Parameterized constants introduced by the counting abstractions

Verification of Readers-Writers Controller

Integers Booleans Cons. Time (secs.)

Ver. Time (secs.)

Memory (Mbytes)

RW-4 1 5 0.04 0.01 6.6

RW-8 1 9 0.08 0.01 7

RW-16 1 17 0.19 0.02 8

RW-32 1 33 0.53 0.03 10.8

RW-64 1 65 1.71 0.06 20.6

RW-P 7 1 0.05 0.01 9.1

SUN ULTRA 10 (768 Mbyte main memory)

What about the Java Implementation?

• We can automatically generate code from the controller specification – Generate a Java class– Make shared variables private variables– Use synchronization to restrict access

• Is the generated code efficient?– Yes! – We can synthesize the condition variables automatically– There is no unnecessary thread notification

Specific Notification Pattern[Cargill 96]

public class ReadersWriters{ private int nr; private boolean busy; private Object rEnterCond, wEnterCond; private synchronized boolean Guard_rEnter() { if (!busy) { nr++; return true; } else return false; } public void rEnter() { synchronized(rEnterCond) { while(!Guard_rEnter()) rEnterCond.wait(); } public void rExit() { synchronized(this) { nr--; } synchronized(wEnterCond) { wEnterCond.notify(); } } ...}

All condition variables andAll condition variables andwait and signal operations are wait and signal operations are generated automaticallygenerated automatically

rEnter: !reading and !busy and nr’=nr+1 and reading’;

A simplified model of Seattle Tacoma International Airport from [Zhong 97]A simplified model of Seattle Tacoma International Airport from [Zhong 97]

Example: Airport Ground Traffic Control

Action Language Specification

module main() integer numRW16R, numRW16L, numC3, ...; initial: numRW16R=0 and numRW16L=0 and ...; module Airplane() enumerated pc {arFlow, touchDown, parked, depFlow, taxiTo16LC3, ..., taxiFr16LB2, ..., takeoff}; initial: pc=arFlow or pc=parked; reqLand: pc=arFlow and numRW16R=0 and pc’=touchDown and numRW16R’=numRW16R+1; exitRW3: pc =touchDown and numC3=0 and numC3’=numC3+1 and numRW16R’=numRW16R-1 and pc’=taxiTo16LC3; ... Airplane: reqLand | exitRW3 | ...; endmodule main: AirPlane() | Airplane() | Airplane() | ....; spec: AG(numRW16R1 and numRW16L 1) spec: AG(numC3 1) spec: AG((numRW16L=0 and numC3+numC4+...+numC8>0) => AX(numRW16L=0)) endmodule

Airport Ground Traffic Control

• Action Language specification– Has 13 integer variables– Has 6 Boolean variables per airplane process to keep

the local state of each airplane– 20 actions

• Automatically generated Java monitor class– Has 13 integer variables– Has 14 condition variables– Has 34 methods

Experiments

Processes Construction(sec) Verify-P1(sec) Verify-P2(sec) Verify-P3(sec)

2 0.81 0.42 0.28 0.69

4 1.50 0.78 0.50 1.13

8 3.03 1.53 0.99 2.22

16 6.86 3.02 2.03 5.07

2A,PD 1.02 0.64 0.43 0.83

4A,PD 1.94 1.19 0.81 1.39

8A,PD 3.95 2.28 1.54 2.59

16A,PD 8.74 4.6 3.15 5.35

PA,2D 1.67 1.31 0.88 3.94

PA,4D 3.15 2.42 1.71 5.09

PA,8D 6.40 4.64 3.32 7.35

PA,16D 13.66 9.21 7.02 12.01

PA,PD 2.65 0.99 0.57 0.43

A: Arriving AirplaneA: Arriving AirplaneD: Departing AirplaneD: Departing AirplaneP: Arbitrary number of threadsP: Arbitrary number of threads

Efficient Java Implementation

public class airport { private int numRW16R; private int numRW16L; private int numC3; .... private Object CondreqLand; private Object CondexitRW3; ... public airport() {

numRW16R = 0 ;numRW16L = 0 ;

... }

private synchronized boolean Guarded_reqLand(){

if(numRW16R == 0) { numRW16R = numRW16R + 1;

return true; }else return false ;}

public void reqLand(){ synchronized(CondreqLand){ while (! Guarded_reqLand()){ try{ CondreqLand.wait(); } catch(InterruptedException e){;} } }}

Outline



Heap Type[Yavuz-Kahveci, Bultan SAS 02]

• Heap type in Action Language

heap {next} top;

• Heap type represents dynamically allocated storage

top’=new;

• We need to add a symbolic representation for the heap type to the Composite Symbolic Library

numItems > 2 => top.next != null

Concurrent Stack

module main() heap {next} top, add, get, newTop; boolean mutex; integer numItems; initial: top=null and mutex and numItems=0; module push() enumerated pc {l1, l2, l3, l4}; initial: pc=l1 and add=null; push1: pc=l1 and mutex and !mutex’ and add’=new and pc’=l2; push2: pc=l2 and numItems=0 and top’=add and numItems’=1 and pc’=l3; push3: pc=l3 and top’.next =null and mutex’ and pc’=l1; push4: pc=l2 and numItems!=0 and add’.next=top and pc’=l4; push5: pc=l4 and top’=add and numItems’=numItems+1 and mutex’ and pc’=l1; push: push1 | push2 | push3 | push4 | push5; endmodule module pop() ... endmodule

main: pop() | pop() | push() | push() ; spec:AG(mutex =>(numItems=0 <=> top=null)) spec: AG(mutex => (numItems>2 => top->next!=null))endmodule

Shape Graphs

• Shape graphs represent the states of the heap

• Each node in the shape graph represents a dynamically allocated memory location

• Heap variables point to nodes of the shape graph • The edges between the nodes show the locations pointed

by the fields of the nodes

addadd toptop

nextnext

nextnextn1n1 n2n2

heap variables heap variables addadd and and toptoppoint to node n1point to node n1

add.nextadd.next is node n2 is node n2top.nexttop.next is also node n2 is also node n2

add.next.nextadd.next.next is is nullnull

Composite Symbolic Library

CUDD Library OMEGA Library

Symbolic+union()

+isSatisfiable()+isSubset()+forwardImage()

CompSym

–representation: list of comAtom

+ union() • • •

BoolSym

–representation: BDD

+union() • • •

compAtom

–atom: *Symbolic

HeapSym

–representation: list of ShapeGraph

+union() • • •

IntSym

–representation: list of Polyhedra

+union() • • •

ShapeGraph

–atom: *Symbolic

Forward Fixpoint

pc=l1 mutex numItems=2

addaddtoptop

pc=l2 mutex numItems=2 addadd toptop

BDDBDD arithmetic constraintarithmetic constraintrepresentationrepresentation

A set of shape graphsA set of shape graphs



Post-condition Computation: Example


pc=l4 and mutex’pc’=l1

pc=l1 mutex

numItems’=numItems+1

numItems=3

top’=add

addadd toptop

set ofset ofstatesstates

transitiontransitionrelationrelation

Fixpoints Do Not Converge

• We have two reasons for non-termination– integer variables can increase without a bound– the number of nodes in the shape graphs can increase

without a bound• The state space is infinite• Even if we ignore the heap variables, reachability is

undecidable when we have unbounded integer variables• So, we use conservative approximations

Conservative Approximations

• Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p )

• Model checker can give three answers:

II pppp

“The property is satisfied”

II pp

“I don’t know”

“The property is false and here is a counter-example”

II pp ppsates whichsates whichviolate the violate the propertyproperty

pp++

pp

Conservative Approximations

• Truncated fixpoint computations– To compute a lower bound for a least-fixpoint

computation – Stop after a fixed number of iterations

• Widening– To compute an upper bound for the least-fixpoint

computation– We use a generalization of the polyhedra widening

operator by • [Cousot and Halbwachs POPL’77]

• Summarization– Generate summary nodes in the shape graphs which

represent more than one concrete node

Summarization

• The nodes that form a chain are mapped to a summary node

• No heap variable points to any concrete node that is mapped to a summary node

• Each concrete node mapped to a summary node is only pointed by a concrete node which is also mapped to the same summary node

• During summarization, we also introduce an integer variable which counts the number of concrete nodes mapped to a summary node

Summarization Example


addaddtoptop

pc=l1 mutex numItems=3 summarycount=2

addaddtoptop

summary nodesummary nodea new integer variablea new integer variablerepresenting the numberrepresenting the numberof concrete nodes encoded of concrete nodes encoded by the summary nodeby the summary node

After summarization, it becomes:After summarization, it becomes:

summarized nodessummarized nodes

Simplification


summaryCount=2

addadd toptop

pc=l1 mutex

addaddtoptop numItems=4

summaryCount=3

==

pc=l1 mutex

addaddtoptop (numItems=4

summaryCount=3

numItems=3

summarycount=2)

Simplification On the Integer Part

pc=l1 mutex

addaddtoptop

(numItems=4

summaryCount=3

numItems=3

summaryCount=2)

==

pc=l1 mutex

addaddtoptop numItems=summaryCount+1

3 numItems

numItems 4

Widening

• Fixpoint computation still will not converge since numItems and summaryCount keep increasing without a bound

• We use the widening operation:– Given two composite atoms c1 and c2 in consecutive

fixpoint iterates, assume that

c1 = b1 i1 h1

c2 = b2 i2 h2

where b1 = b2 and h1 = h2 and i1 i2Assume that i1 is a single polyhedron and i2 is also a single

polyhedron

Widening

• Then

– i1 i2 is defined as: all the constraints in i1 which are also satisfied by i2

• Replace i2 with i1 i2 in c2

• This generates an upper approximation to the forward-fixpoint computation

Widening Example

pc=l1 mutex


3 numItems

numItems 4

pc=l1 mutex


3 numItems

numItems 5

pc=l1 mutex


3 numItems

==

Now, fixpoint convergesNow, fixpoint converges

Verified Properties

Specification Verified Invariants

Stack top=null numItems=0

topnull numItems0

numItems=2 top.nextnull

Single Lock Queue head=null numItems=0

headnull numItems0

(head=tail head null) numItems=1

headtail numItems0

Two Lock Queue numItems>1 headtail

numItems>2 head.nexttail

Experimental Results

Number of

Threads

Queue

HC

Queue

IC

Stack

HC

Stack

IC

2Lock

Queue

HC

2Lock

Queue

IC

1P-1C 10.19 12.95 4.57 5.21 60.5 58.13

2P-2C 15.74 21.64 6.73 8.24 88.26 122.47

4P-4C 31.55 46.5 12.71 15.11

1P-PC 12.85 13.62 5.61 5.73

PP-1C 18.24 19.43 6.48 6.82

HC : heap controlIC : integer control

Verification times in secs

Verifying Linked Lists with Multiple Fields

• Pattern-based summarization– User provides a graph grammar rule to describe the

summarization pattern

L x = next x y, prev y x, L y

• Represent any maximal sub-graph that matches the pattern with a summary node– no node in the sub-graph pointed by a heap variable

Summarization Pattern Examples

......nn nn nnL L x x xx.n = .n = yy, L, L y y

......nn nn nnL L x x xx.n = .n = yy, , yy.p = .p = xx, L, L y y

pp pp pp

L L x x xx.n = .n = yy, , xx.d = .d = zz, L, L y y ......nn nn nn

dd dd dd

Outline



Shape Analysis

• There is a lot of work on Shape analysis, I will just mention the ones which directly influenced us:– [Sagiv,Reps, Wilhelm TOPLAS’98] , [Dor, Rodeh, Sagiv SAS’00]

• Verification of concurrent linked lists with arbitrary number of processes in – [Yahav POPL’01]

• 3-valued logic and instrumentation predicates – [Sagiv,Reps, Wilhelm TOPLAS], [Lev-Ami, Reps, Sagiv, Wilhelm

ISSTA 00]

• Automatically generating instrumentation predicates– [Sagiv,Reps, Wilhelm ESOP 03]

Shape Analysis

• Deutch used integer constraint lattices to compute aliasing information using symbolic access paths– [Deutch PLDI’94]

• The idea of summarization patterns is based on the shape types introduced in– [Fradet and Metayer POPL 97]

Model Checking Software Specifications

• [Atlee, Gannon 93] – Translating SCR mode transition tables to input

language of explicit state model checker EMC [Clarke, Emerson, Sistla 86]

• [Chan et al. 98,00] – Translating RSML specifications to input language of

SMV

• [Bharadwaj, Heitmeyer 99] – Translating SCR specifications to Promela, input

language of automata-theoretic explicit state model checker SPIN

Specification Languages

• Specification languages for verification– [Milner 80] CCS– [Chandy and Misra 88] Unity– [Lamport 94] Temporal Logic of Actions (TLA)

• Specification languages for model checking– [Holzmann 98] Promela– [McMillan 93] SMV– [Alur and Henzinger 96, 99] Reactive Modules

Action Language TLA Connection

• Similarities:– Transition relation is defined using predicates on current

(unprimed) and next state (primed) variables– Each predicate is defined using integer arithmetic,

boolean logic, etc.• Differences: In Action Language

– Temporal operators are not used in defining the transition relation

• Dual language approach: temporal properties (in CTL) are redundant, they are used to check correctness

– Synchronous and asynchronous composition operators are not equivalent to logical operators

Constraint-Based Verification

• [Cooper 71]

– Used a decision procedure for Presburger arithmetic to verify sequential programs represented in a block form

• [Cousot and Halbwachs 78] – Used real arithmetic constraints to discover invariants of

sequential programs• [Halbwachs 93]

– Constraint based delay analysis in synchronous programs

• [Halbwachs et al. 94] – Verification of linear hybrid systems using constraint

representations• [Alur et al. 96]

– HyTech, a model checker for hybrid systems

Constraint-Based Verification

• [Boigelot and Wolper 94] – Verification with periodic sets

• [Boigelot et al.] – Meta-transitions, accelerations

• [Delzanno and Podelski 99]

– Built a model checker using constraint logic programming framework

• [Boudet Comon], [Wolper and Boigelot ‘00] – Translating linear arithmetic constraints to automata

Automata-Based Representations

• [Klarlund et al.] – MONA, an automata manipulation tool for verification

• [Boudet Comon] – Translating linear arithmetic constraints to automata

• [Wolper and Boigelot ‘00] – verification using automata as a symbolic representation

• [Kukula et al. 98] – application of automata based verification to hardware

verification

Combining Symbolic Representations

• [Chan et al. CAV’97]

– both linear and non-linear constraints are mapped to BDDs

– Only data-memoryless and data-invariant transitions are supported

• [Bharadwaj and Sims TACAS’00]

– Combines automata based representations (for linear arithmetic constraints) with BDDs

– Specialized for inductive invariant checking• [Bensalem et al. 00]

– Symbolic Analysis Laboratory– Designed a specification language that allows integration

of different verification tools

Model Checking Programs

• Verisoft from Bell Labs [Godefroid POPL 97]

– C programs, handles concurrency, bounded search, bounded recursion, stateless search

• Java Path Finder (JPF) at NASA Ames [Havelund, Visser]

– Explicit state model checking for Java programs, bounded search, bounded recursion, handles concurrency

• SLAM project at Microsoft Research[Ball, Rajamani et al. SPIN 00, PLDI 01]

– Symbolic model checking for C programs, unbounded recursion, no concurrency

– Uses predicate abstraction [Saidi, Graf 97] and BDDs • BANDERA: A tool for extracting finite state models from

programs [Dwyer, Hatcliff et al ICSE 00, 01]

Outline



Current and Future Work

• Automata representation for linear arithmetic constraints

• Interface based specification and verification of concurrency controllers

• Specification and verification of web services

Automata Representation for Arithmetic Constraints

[Bartzis, Bultan, CIAA 02], [Bartzis, Bultan, IJFCS]

[Bartzis, Bultan TACAS 03], [Bartzis, Bultan CAV 03]

• Given a linear arithmetic formula construct a deterministic finite automaton that accepts the integers that satisfy the formula.

• Used MONA package• Complexity results

-2 -1 1 0

sink

0 10, 0

00

0 11, 1

0 10, 0

0 11, 1

0 0 1 10, 1, 0, 1

01

01

10

001

1

11

10

A finite automaton for2x - 3y = 2

Concurrency Controllers and Interfaces

[Betin-Can, Bultan SoftMC 03]• Concurrency Controller

– Behavior: How do the shared variables change– Interface: In which order are the methods invoked

• Separate Verification– Behavior verification

• Action Language Verifier – Interface verification

• Java PathFinder • A modular approach

– Build complex concurrency controllers by composing interfaces

Example Interface

reqLand

exitRW3crossRW3

park2

reqTakeOff

leave

exitRW4

exitRW5

exitRW6

exitRW7

exitRW8

crossRW5

crossRW6

crossRW7

crossRW8

crossRW4

park11

park10

park9

park7

Verification of Web Services

[Fu, Bultan, Hull, Su TACAS 01, WES 02], [Bultan,Fu,Hull, Su WWW 03], [Fu, Bultan, Su CIAA 03]

• Verification of Vortex workflows using SMV and Action Language Verifier

• A top-down approach to specification and verification of composite web services– Specify the composite web service as a conversation

protocol– Generate peer specifications from the conversation

protocol• Realizability conditions

• Working on the application of this framework to BPEL

ConversationProtocol

AB:msg1

BA:msg2

BC:msg3 C B:msg4

BC:msg5

G(msg1 F(msg3 msg5))? LTL property

Model Checking

!msg1

?msg2

Peer A?msg1

!msg2

!msg5

!msg3

?msg4

Peer B

?msg3

!msg4

Peer C

Peer A Peer B Peer C

msg1

msg2,msg6

msg3,msg5

msg4

ConversationSchema

Peer Synthesis

InputQueue

...Virtual Watcher

?msg6

BA:msg6

!msg6

?msg5

The End

Documents

Tools for Automated Verification of Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara [email protected]