View
218
Download
0
Embed Size (px)
Citation preview
Tools for Automated Verification of Concurrent Software
Tevfik Bultan
Department of Computer Science
University of California, Santa Barbara
http://www.cs.ucsb.edu/~bultan/
http://www.cs.ucsb.edu/~bultan/composite/
Summary
• Goal: Reliable concurrent programming• Sub-goals:
– Developing reliable concurrency controllers in Java– Developing reliable concurrent linked lists
• Approach: Model Checking– Refined Approach: Composite Model Checking
• Specification Language: Action Language• Tools:
– Composite Symbolic Library– Action Language Verifier
Students
Joint work with my students:• Tuba Yavuz-Kahveci• Constantinos Bartzis• Xiang Fu (co-advised with Jianwen Su)• Aysu Betin-Can
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Difficulties in Concurrent Programming
• Concurrent programming is difficult and error prone– In sequential programming you only worry about the
states of the variables– In concurrent programming you also have to worry about
the states of the threads
• State space increases exponentially with the number of threads
Concurrent Programming in Java
• Java uses a variant of monitor programming
• Synchronization using locks– Each object has a locksynchronized(o) { ... }
• Coordination using condition variables– Objects can be used as condition variablessynchronized (condVar){ while (!condExp) wait(condVar); ... notifyAll(condVar); }
Dangers in Java Concurrency
• Nested locks
synchronized m(other) {
other.m();
}
Thread1: run() { o1.m(o2); }
Thread2: run() { o2.m(o1); }
o1 lock o2lock
Thread1 Thread2
Dangers in Java Concurrency
• Missed notification
notify(condVar);
• Forgotten condition check
if(!condExp) wait(condVar);
• Dependency among multiple condition variables can be complicated– Conservative notification and condition check
Inefficient– Optimizing the notification and condition checks
Error prone
A simplified model of Seattle Tacoma International Airport from [Zhong 97]A simplified model of Seattle Tacoma International Airport from [Zhong 97]
Example: Airport Ground Traffic Control Simulation
Control Logic
• An airplane can land using 16R only if no airplane is using 16R at the moment
• An airplane can takeoff using 16L only if no airplane is using 16L at the moment
• An airplane taxiing on one of the exits C3-C8 can cross runway 16L only if no airplane is taking off at the moment
• An airplane can start using 16L for taking off only if none of the crossing exits C3-C8 is occupied at the moment (arriving airplanes have higher priority)
• Only one airplane can use a taxiway at a time
Java Implementation
• Simulate behavior of each airplane with a thread
• Use a monitor (a Java class) – private variables for number of airplanes on each runway
and each taxiway– methods of the monitor enforce the control logic
• Each thread calls the methods of the monitor based on the airport layout to move from one point to the next
Example Implementation
public synchronized void C8_To_B11A() {
while (!((numRW16L == 0) && (numB11A == 0)))
wait();
numC8 = numC8 - 1;
numB11A = numB11A + 1;
notifyAll();
}
• This code is not efficient since every thread wakes up every other thread
• Using separate condition variables complicates the synchronization – nested locks
Difficulties In Implementing Concurrent Linked Lists
• Linked list manipulation is difficult and error prone– State of the heap: unbounded
• State space:– Sequential programming
• states of the variables– Concurrent programming
• states of the variables • states of the threads
– Concurrent linked lists• states of the variables • states of the threads • state of the heap
Examples
• singly linked lists
• doubly linked lists
• stack
• queue
• single lock
• double lock– allows concurrent inserts and deletes
nextnext
nextnextn1n1 n2n2
prevprev nextnextn1n1 n2n2
nextnext
prevprev
nextnextnextnext
n1n1 n2n2toptop
nextnext nextnextn1n1 n2n2firstfirstlastlast
Outline of Our Approach
1. Specify concurrency controllers and concurrent linked lists in Action Language
2. Verify their properties using composite model checking
3. Generate Java classes from the specifications which preserve their properties
Action Language Tool Set
Action LanguageAction LanguageParserParser
Action LanguageAction LanguageVerifierVerifier
Code GeneratorCode Generator Omega Omega LibraryLibrary
CUDDCUDDPackagePackage
Verified code Verified code (Java monitor classes)(Java monitor classes)
MONAMONA
Composite Symbolic LibraryComposite Symbolic Library
PresburgerPresburgerArithmeticArithmeticManipulatorManipulator
BDDBDDManipulatorManipulator
AutomataAutomataManipulatorManipulator
Action LanguageAction LanguageSpecificationSpecification
Outline
• Difficulties in concurrent programming • A short history of model checking in 7 slides
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Idea 1: Temporal Logics for Reactive Systems [Pnueli FOCS 77, TCS 81]
Transformational systems get input;
compute something;
return result;
Reactive systems while (true) {
receive some input,
send some output
}
For reactive systems • termination is not relevant• pre and post-conditions are not
enough
Temporal Logics• Invariant p (G p, AG p, p)• Eventually p (F p, AF p, p)• Next p : (X p, AX p, p)• p Until q : ( p U q, A(p U q) )
.
.
....
AF(p), EG(p)F(p)
p
p p
p
G(p)LTL CTL
p
p
p
p
p
p
p
Branching vs. Linear Time
.
.
....
.
.
.
Idea 2: Automated Verification of Finite State Systems [Clarke and Emerson 81], [Queille and Sifakis 82]
Transition Systems• S : Set of states (finite)• I S : Set of initial states• R S S : Transition relation
Model checking problem: Given a temporal logic property, does the transition system satisfy the property?– Complexity: linear in the size
of the transition system
Verification vs. Falsification
Verification:
show: initial states truth set of p
Falsification:
find: a state initial states truth set of p
generate a counter-example starting from that state
Idea 3: Temporal Properties Fixpoints [Emerson and Clarke 80]
• • •• • •ppInitialInitialstatesstates
initial states that satisfy EF(initial states that satisfy EF(pp))
initial states that violate AG(initial states that violate AG(pp))
EF(EF(pp)) states that can reach states that can reach p p p p Pre( Pre(pp)) Pre(Pre( Pre(Pre(pp)) )) ......
• • •• • • EG(EG(p)p) InitialInitialstatesstates
initial states that satisfy EG(initial states that satisfy EG(p)p) initial states that violate AF(initial states that violate AF(pp))
EG(EG(pp)) states that can avoid reaching states that can avoid reaching pp p p Pre( Pre(pp)) Pre(Pre( Pre(Pre(pp)))) ......
EF(EF(pp))
Idea 4: Symbolic Model Checking[McMillan et al. LICS 90]
• Represent sets of states and the transition relation as Boolean logic formulas
• Fixpoint computation becomes formula manipulation– pre and post-condition computations: Existential variable
elimination– conjunction (intersection), disjunction (union) and
negation (set difference), and equivalence check
• Use an efficient data structure – Binary Decision Diagrams (BDDs)
Tool 1: SMV [McMillan 93]
• BDD-based symbolic model checker • Finite state• Temporal logic: CTL• Focus: hardware verification
– Later applied to software specifications, protocols, etc.• SMV has its own input specification language
– concurrency: synchronous, asynchronous – shared variables– boolean and enumerated variables– bounded integer variables (binary encoding)
• SMV is not efficient for integers, can be fixed
Idea 5: LTL Properties Büchi automata [Vardi and Wolper LICS 86]
• Büchi automata: Finite state automata that accept infinite strings
• A Büchi automaton accepts a string when the corresponding run visits an accepting state infinitely often
• The size of the property automaton can be exponential in the size of the LTL formula
G pp p
true
F p pp
true
G (F p) true p
true
Tool 2: SPIN [Holzmann 91, TSE 97]
• Explicit state, finite state• Temporal logic: LTL• Input language: PROMELA
– Asynchronous processes – Shared variables – Message passing through
(bounded) communication channels
– Variables: boolean, char, integer (bounded), arrays (fixed size)
• Property automaton from the negated LTL property
• Product of the property automaton and the transition system (on-the-fly)
• Show that there is no accepting cycle in the product automaton
• Nested depth first search to look for accepting cycles
• If there is a cycle, it corresponds to a counterexample behavior that demonstrates the bug
Model Checking Research
• These 5 key ideas and 2 key tools inspired a lot of research [Clarke, Grumberg and Peled, 99]
– efficient symbolic representations– partial order reductions– abstraction– compositional/modular verification– model checking infinite state systems (pushdown
automata)– model checking real time systems– model checking hybrid systems– model checking programs– ...
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Action Language [Bultan, ICSE 00], [Bultan, Yavuz-Kahveci, ASE 01]
• A state based language– Actions correspond to state changes
• States correspond to valuations of variables– boolean– enumerated– integer (possibly unbounded)– heap variables (i.e., pointers)
• Parameterized constants – specifications are verified for every possible value of the
constant
Action Language
• Transition relation is defined using actions– Atomic actions: Predicates on current and next state
variables– Action composition:
• asynchronous (|) or synchronous (&)• Modular
– Modules can have submodules– A modules is defined as asynchronous and/or
synchronous compositions of its actions and submodules
Readers Writers Example
module main()integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;
module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;
endmodule
module Writer() ... endmodule
main: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])
endmodule
S S :: Cartesian product ofCartesian product of variable domains defines variable domains defines the set of statesthe set of states
I I : Predicates defining : Predicates defining the initial statesthe initial states
RR : Atomic actions of the : Atomic actions of the ReaderReader
RR : Transition relation of : Transition relation of Reader defined as Reader defined as asynchronous composition asynchronous composition of its atomic actionsof its atomic actions
RR : Transition relation of main defined as asynchronous : Transition relation of main defined as asynchronous composition of two Reader and two Writer processescomposition of two Reader and two Writer processes
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Which Symbolic Representation to Use?
BDDs• canonical and efficient
representation for Boolean logic formulas
• can only encode finite sets
Linear Arithmetic Constraints• can encode infinite sets• two representations
– polyhedral representation– automata representation
• not efficient for encoding boolean domains
F
F
F
T
T
x y {(T,T), (T,F), (F,T)}
a > 0 b = a+1
{(1,2), (2,3), (3,4),...}
T
x
y
Composite Model Checking[Bultan, Gerber, League ISSTA 98, TOSEM 00]
• Map each variable type to a symbolic representation– Map boolean and enumerated types to BDD
representation– Map integer type to a linear arithmetic constraint
representation• Use a disjunctive representation to combine different
symbolic representations: composite representation• Each disjunct is a conjunction of formulas represented by
different symbolic representations– we call each disjunct a composite atom
Composite Representation
i tii
n
ipppP
...
211
symbolic rep. 1
symbolic rep. 2
symbolic rep. t
composite atom
Example:
x: integer, y: boolean
x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
arithmetic constraintrepresentation
BDD arithmetic constraintrepresentation
BDD
Composite Symbolic Library [Yavuz-Kahveci, Tuncer, Bultan TACAS01], [Yavuz-Kahveci, Bultan STTT]
• Uses a common interface for each symbolic representation
• Easy to extend with new symbolic representations
• Enables polymorphic verification
• Multiple symbolic representations:– As a BDD library we use Colorado University Decision
Diagram Package (CUDD) [Somenzi et al] – As an integer constraint manipulator we use Omega
Library [Pugh et al]
Composite Symbolic Library Class Diagram
CUDD Library OMEGA Library
Symbolic+intersect()
+union()+complement()+isSatisfiable()+isSubset()+pre()+post()
CompSym
–representation: list of comAtom
+intersect()+ union() • • •
BoolSym
–representation: BDD
+intersect()+union() • • •
IntSym
–representation: Polyhedra
+intersect()+union() • • •
compAtom
–atom: *Symbolic
Composite Symbolic Representation
b’
x: integer, y:boolean
x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
: CompSym
representation : List<compAtom>
: ListNode<compAtom> : ListNode<compAtom>
next :*ListNode<compAtom> next: *ListNode<compAtom>
data : compAtom data : compAtom
01
y´ x>0 and x´=x-1
01
y’=yx<=0 and x’=x
Pre and Post-condition Computation
Variables:x: integer, y: boolean
Transition relation:R: x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
Set of states: s: x=2 and !y or x=0 and !y
Compute post(s,R)
Pre and Post-condition Distribute
R: x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
s: x=2 and !y or x=0 and y
post(s,R) = post(x=2 , x>0 and x´x-1) post(!y , y´) x=1 y
post(x=2 , x<=0 and x´x) post (!y , y´y) false !y
post(x=0 , x>0 and x´x-1) post(y , y´) false y
post (x=0 , x<=0 and x´x) post (y, y´y ) x=0 y
= x=1 and y or x=0 and y
Polymorphic Verifier
Symbolic TranSys::check(Node *f) {
•
•
•
Symbolic s = check(f.left)
case EX:
s.pre(transRelation)
case EF:
do
sold = s
s.pre(transRelation)
s.union(sold)
while not sold.isEqual(s) •
•
•
}
Action Language Verifier Action Language Verifier is polymorphicis polymorphic
It becomes a BDD based model It becomes a BDD based model checker when there or no integer checker when there or no integer variablesvariables
Heuristics for Composite Representation[Yavuz-Kahveci, Bultan FroCos 02]
• Masking– compute operations on BDDs first– avoid redundant computations on integer part
• Incremental subset check– Exploit the disjunctive structure by computing subset
checks incrementally• Interleaving pre-condition computation with the subset
check in least-fixpoint computations• Simplification
– Reduce the number of disjuncts in the composite representation by iteratively merging matching disjuncts
Some Experiments
Problem Instance
All Heuristics
Time (sec) Memory (MB)
No Heuristics
Time (sec) Memory (MB)
Barber2-2 0.27 8.80 1327.82 464.14
Barber3-2 0.35 9.50
Bakery2i 0.21 7.80 5.52 94.66
Bakery3i 8.26 19.60
Lightcontrol 0.12 7.90 81.05 48.40
Without the simplification for 15 out of 39 problem instances the verifier ran out of memory
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Application to Concurrency Controllers[Yavuz-Kahveci, Bultan ISTTA 02] [Betin-Can, Bultan SoftMC 03]
Outline of our approach:
1. Specify concurrency controllers and concurrent linked lists in Action Language
2. Verify their properties using composite model checking
3. Generate Java classes from the specifications which preserve their properties
Readers-Writers Controller
module main()integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;module Reader()
boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;
endmodulemodule Writer()
boolean writing;initial: !writing;wEnter: !writing and nr=0 and !busy and busy’ and writing’;wExit: writing and !writing’ and !busy’;Writer: wEnter | wExit;
endmodulemain: Reader() | Reader() | Writer() | Writer();spec: invariant([busy => nr=0])
endmodule
Arbitrary Number of Threads
• Counting abstraction– Create an integer variable for each local state of a
thread– Each variable will count the number of threads in a
particular state • Local states of the threads have to be finite
– Specify only the thread behavior that relates to the correctness of the controller
– Shared variables of the controller can be unbounded• Counting abstraction can be automated
Readers-Writers After Counting Abstraction
module main()integer nr;boolean busy;
parameterized integer numReader, numWriter;restrict: nr>=0 and numReader>=0 and numWriter>=0;initial: nr=0 and !busy;module Reader()
integer readingF, readingT;initial: readingF=numReader and readingT=0;rEnter: readingF>0 and !busy and nr’=nr+1 and readingF’=readingF-1 and
readingT’=readingT+1;rExit: readingT>0 and nr’=nr-1 readingT’=readingT-1
and readingF’=readingF+1;Reader: rEnter | rExit;
endmodulemodule Writer()
...endmodulemain: Reader() | Writer();spec: invariant([busy => nr=0])
endmodule
Variables introduced by the counting abstractions
Parameterized constants introduced by the counting abstractions
Verification of Readers-Writers Controller
Integers Booleans Cons. Time (secs.)
Ver. Time (secs.)
Memory (Mbytes)
RW-4 1 5 0.04 0.01 6.6
RW-8 1 9 0.08 0.01 7
RW-16 1 17 0.19 0.02 8
RW-32 1 33 0.53 0.03 10.8
RW-64 1 65 1.71 0.06 20.6
RW-P 7 1 0.05 0.01 9.1
SUN ULTRA 10 (768 Mbyte main memory)
What about the Java Implementation?
• We can automatically generate code from the controller specification – Generate a Java class– Make shared variables private variables– Use synchronization to restrict access
• Is the generated code efficient?– Yes! – We can synthesize the condition variables automatically– There is no unnecessary thread notification
Specific Notification Pattern[Cargill 96]
public class ReadersWriters{ private int nr; private boolean busy; private Object rEnterCond, wEnterCond; private synchronized boolean Guard_rEnter() { if (!busy) { nr++; return true; } else return false; } public void rEnter() { synchronized(rEnterCond) { while(!Guard_rEnter()) rEnterCond.wait(); } public void rExit() { synchronized(this) { nr--; } synchronized(wEnterCond) { wEnterCond.notify(); } } ...}
All condition variables andAll condition variables andwait and signal operations are wait and signal operations are generated automaticallygenerated automatically
rEnter: !reading and !busy and nr’=nr+1 and reading’;
A simplified model of Seattle Tacoma International Airport from [Zhong 97]A simplified model of Seattle Tacoma International Airport from [Zhong 97]
Example: Airport Ground Traffic Control
Action Language Specification
module main() integer numRW16R, numRW16L, numC3, ...; initial: numRW16R=0 and numRW16L=0 and ...; module Airplane() enumerated pc {arFlow, touchDown, parked, depFlow, taxiTo16LC3, ..., taxiFr16LB2, ..., takeoff}; initial: pc=arFlow or pc=parked; reqLand: pc=arFlow and numRW16R=0 and pc’=touchDown and numRW16R’=numRW16R+1; exitRW3: pc =touchDown and numC3=0 and numC3’=numC3+1 and numRW16R’=numRW16R-1 and pc’=taxiTo16LC3; ... Airplane: reqLand | exitRW3 | ...; endmodule main: AirPlane() | Airplane() | Airplane() | ....; spec: AG(numRW16R1 and numRW16L 1) spec: AG(numC3 1) spec: AG((numRW16L=0 and numC3+numC4+...+numC8>0) => AX(numRW16L=0)) endmodule
Airport Ground Traffic Control
• Action Language specification– Has 13 integer variables– Has 6 Boolean variables per airplane process to keep
the local state of each airplane– 20 actions
• Automatically generated Java monitor class– Has 13 integer variables– Has 14 condition variables– Has 34 methods
Experiments
Processes Construction(sec) Verify-P1(sec) Verify-P2(sec) Verify-P3(sec)
2 0.81 0.42 0.28 0.69
4 1.50 0.78 0.50 1.13
8 3.03 1.53 0.99 2.22
16 6.86 3.02 2.03 5.07
2A,PD 1.02 0.64 0.43 0.83
4A,PD 1.94 1.19 0.81 1.39
8A,PD 3.95 2.28 1.54 2.59
16A,PD 8.74 4.6 3.15 5.35
PA,2D 1.67 1.31 0.88 3.94
PA,4D 3.15 2.42 1.71 5.09
PA,8D 6.40 4.64 3.32 7.35
PA,16D 13.66 9.21 7.02 12.01
PA,PD 2.65 0.99 0.57 0.43
A: Arriving AirplaneA: Arriving AirplaneD: Departing AirplaneD: Departing AirplaneP: Arbitrary number of threadsP: Arbitrary number of threads
Efficient Java Implementation
public class airport { private int numRW16R; private int numRW16L; private int numC3; .... private Object CondreqLand; private Object CondexitRW3; ... public airport() {
numRW16R = 0 ;numRW16L = 0 ;
... }
private synchronized boolean Guarded_reqLand(){
if(numRW16R == 0) { numRW16R = numRW16R + 1;
return true; }else return false ;}
public void reqLand(){ synchronized(CondreqLand){ while (! Guarded_reqLand()){ try{ CondreqLand.wait(); } catch(InterruptedException e){;} } }}
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Heap Type[Yavuz-Kahveci, Bultan SAS 02]
• Heap type in Action Language
heap {next} top;
• Heap type represents dynamically allocated storage
top’=new;
• We need to add a symbolic representation for the heap type to the Composite Symbolic Library
numItems > 2 => top.next != null
Concurrent Stack
module main() heap {next} top, add, get, newTop; boolean mutex; integer numItems; initial: top=null and mutex and numItems=0; module push() enumerated pc {l1, l2, l3, l4}; initial: pc=l1 and add=null; push1: pc=l1 and mutex and !mutex’ and add’=new and pc’=l2; push2: pc=l2 and numItems=0 and top’=add and numItems’=1 and pc’=l3; push3: pc=l3 and top’.next =null and mutex’ and pc’=l1; push4: pc=l2 and numItems!=0 and add’.next=top and pc’=l4; push5: pc=l4 and top’=add and numItems’=numItems+1 and mutex’ and pc’=l1; push: push1 | push2 | push3 | push4 | push5; endmodule module pop() ... endmodule
main: pop() | pop() | push() | push() ; spec:AG(mutex =>(numItems=0 <=> top=null)) spec: AG(mutex => (numItems>2 => top->next!=null))endmodule
Shape Graphs
• Shape graphs represent the states of the heap
• Each node in the shape graph represents a dynamically allocated memory location
• Heap variables point to nodes of the shape graph • The edges between the nodes show the locations pointed
by the fields of the nodes
addadd toptop
nextnext
nextnextn1n1 n2n2
heap variables heap variables addadd and and toptoppoint to node n1point to node n1
add.nextadd.next is node n2 is node n2top.nexttop.next is also node n2 is also node n2
add.next.nextadd.next.next is is nullnull
Composite Symbolic Library
CUDD Library OMEGA Library
Symbolic+union()
+isSatisfiable()+isSubset()+forwardImage()
CompSym
–representation: list of comAtom
+ union() • • •
BoolSym
–representation: BDD
+union() • • •
compAtom
–atom: *Symbolic
HeapSym
–representation: list of ShapeGraph
+union() • • •
IntSym
–representation: list of Polyhedra
+union() • • •
ShapeGraph
–atom: *Symbolic
Forward Fixpoint
pc=l1 mutex numItems=2
addaddtoptop
pc=l2 mutex numItems=2 addadd toptop
BDDBDD arithmetic constraintarithmetic constraintrepresentationrepresentation
A set of shape graphsA set of shape graphs
pc=l4 mutex numItems=2 addadd toptop
pc=l1 mutex numItems=3 addadd toptop
Post-condition Computation: Example
pc=l4 mutex numItems=2 addadd toptop
pc=l4 and mutex’pc’=l1
pc=l1 mutex
numItems’=numItems+1
numItems=3
top’=add
addadd toptop
set ofset ofstatesstates
transitiontransitionrelationrelation
Fixpoints Do Not Converge
• We have two reasons for non-termination– integer variables can increase without a bound– the number of nodes in the shape graphs can increase
without a bound• The state space is infinite• Even if we ignore the heap variables, reachability is
undecidable when we have unbounded integer variables• So, we use conservative approximations
Conservative Approximations
• Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p )
• Model checker can give three answers:
II pppp
“The property is satisfied”
II pp
“I don’t know”
“The property is false and here is a counter-example”
II pp ppsates whichsates whichviolate the violate the propertyproperty
pp++
pp
Conservative Approximations
• Truncated fixpoint computations– To compute a lower bound for a least-fixpoint
computation – Stop after a fixed number of iterations
• Widening– To compute an upper bound for the least-fixpoint
computation– We use a generalization of the polyhedra widening
operator by • [Cousot and Halbwachs POPL’77]
• Summarization– Generate summary nodes in the shape graphs which
represent more than one concrete node
Summarization
• The nodes that form a chain are mapped to a summary node
• No heap variable points to any concrete node that is mapped to a summary node
• Each concrete node mapped to a summary node is only pointed by a concrete node which is also mapped to the same summary node
• During summarization, we also introduce an integer variable which counts the number of concrete nodes mapped to a summary node
Summarization Example
pc=l1 mutex numItems=3
addaddtoptop
pc=l1 mutex numItems=3 summarycount=2
addaddtoptop
summary nodesummary nodea new integer variablea new integer variablerepresenting the numberrepresenting the numberof concrete nodes encoded of concrete nodes encoded by the summary nodeby the summary node
After summarization, it becomes:After summarization, it becomes:
summarized nodessummarized nodes
Simplification
pc=l1 mutex numItems=3
summaryCount=2
addadd toptop
pc=l1 mutex
addaddtoptop numItems=4
summaryCount=3
==
pc=l1 mutex
addaddtoptop (numItems=4
summaryCount=3
numItems=3
summarycount=2)
Simplification On the Integer Part
pc=l1 mutex
addaddtoptop
(numItems=4
summaryCount=3
numItems=3
summaryCount=2)
==
pc=l1 mutex
addaddtoptop numItems=summaryCount+1
3 numItems
numItems 4
Widening
• Fixpoint computation still will not converge since numItems and summaryCount keep increasing without a bound
• We use the widening operation:– Given two composite atoms c1 and c2 in consecutive
fixpoint iterates, assume that
c1 = b1 i1 h1
c2 = b2 i2 h2
where b1 = b2 and h1 = h2 and i1 i2Assume that i1 is a single polyhedron and i2 is also a single
polyhedron
Widening
• Then
– i1 i2 is defined as: all the constraints in i1 which are also satisfied by i2
• Replace i2 with i1 i2 in c2
• This generates an upper approximation to the forward-fixpoint computation
Widening Example
pc=l1 mutex
addaddtoptop numItems=summaryCount+1
3 numItems
numItems 4
pc=l1 mutex
addaddtoptop numItems=summaryCount+1
3 numItems
numItems 5
pc=l1 mutex
addaddtoptop numItems=summaryCount+1
3 numItems
==
Now, fixpoint convergesNow, fixpoint converges
Verified Properties
Specification Verified Invariants
Stack top=null numItems=0
topnull numItems0
numItems=2 top.nextnull
Single Lock Queue head=null numItems=0
headnull numItems0
(head=tail head null) numItems=1
headtail numItems0
Two Lock Queue numItems>1 headtail
numItems>2 head.nexttail
Experimental Results
Number of
Threads
Queue
HC
Queue
IC
Stack
HC
Stack
IC
2Lock
Queue
HC
2Lock
Queue
IC
1P-1C 10.19 12.95 4.57 5.21 60.5 58.13
2P-2C 15.74 21.64 6.73 8.24 88.26 122.47
4P-4C 31.55 46.5 12.71 15.11
1P-PC 12.85 13.62 5.61 5.73
PP-1C 18.24 19.43 6.48 6.82
HC : heap controlIC : integer control
Verification times in secs
Verifying Linked Lists with Multiple Fields
• Pattern-based summarization– User provides a graph grammar rule to describe the
summarization pattern
L x = next x y, prev y x, L y
• Represent any maximal sub-graph that matches the pattern with a summary node– no node in the sub-graph pointed by a heap variable
Summarization Pattern Examples
......nn nn nnL L x x xx.n = .n = yy, L, L y y
......nn nn nnL L x x xx.n = .n = yy, , yy.p = .p = xx, L, L y y
pp pp pp
L L x x xx.n = .n = yy, , xx.d = .d = zz, L, L y y ......nn nn nn
dd dd dd
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Shape Analysis
• There is a lot of work on Shape analysis, I will just mention the ones which directly influenced us:– [Sagiv,Reps, Wilhelm TOPLAS’98] , [Dor, Rodeh, Sagiv SAS’00]
• Verification of concurrent linked lists with arbitrary number of processes in – [Yahav POPL’01]
• 3-valued logic and instrumentation predicates – [Sagiv,Reps, Wilhelm TOPLAS], [Lev-Ami, Reps, Sagiv, Wilhelm
ISSTA 00]
• Automatically generating instrumentation predicates– [Sagiv,Reps, Wilhelm ESOP 03]
Shape Analysis
• Deutch used integer constraint lattices to compute aliasing information using symbolic access paths– [Deutch PLDI’94]
• The idea of summarization patterns is based on the shape types introduced in– [Fradet and Metayer POPL 97]
Model Checking Software Specifications
• [Atlee, Gannon 93] – Translating SCR mode transition tables to input
language of explicit state model checker EMC [Clarke, Emerson, Sistla 86]
• [Chan et al. 98,00] – Translating RSML specifications to input language of
SMV
• [Bharadwaj, Heitmeyer 99] – Translating SCR specifications to Promela, input
language of automata-theoretic explicit state model checker SPIN
Specification Languages
• Specification languages for verification– [Milner 80] CCS– [Chandy and Misra 88] Unity– [Lamport 94] Temporal Logic of Actions (TLA)
• Specification languages for model checking– [Holzmann 98] Promela– [McMillan 93] SMV– [Alur and Henzinger 96, 99] Reactive Modules
Action Language TLA Connection
• Similarities:– Transition relation is defined using predicates on current
(unprimed) and next state (primed) variables– Each predicate is defined using integer arithmetic,
boolean logic, etc.• Differences: In Action Language
– Temporal operators are not used in defining the transition relation
• Dual language approach: temporal properties (in CTL) are redundant, they are used to check correctness
– Synchronous and asynchronous composition operators are not equivalent to logical operators
Constraint-Based Verification
• [Cooper 71]
– Used a decision procedure for Presburger arithmetic to verify sequential programs represented in a block form
• [Cousot and Halbwachs 78] – Used real arithmetic constraints to discover invariants of
sequential programs• [Halbwachs 93]
– Constraint based delay analysis in synchronous programs
• [Halbwachs et al. 94] – Verification of linear hybrid systems using constraint
representations• [Alur et al. 96]
– HyTech, a model checker for hybrid systems
Constraint-Based Verification
• [Boigelot and Wolper 94] – Verification with periodic sets
• [Boigelot et al.] – Meta-transitions, accelerations
• [Delzanno and Podelski 99]
– Built a model checker using constraint logic programming framework
• [Boudet Comon], [Wolper and Boigelot ‘00] – Translating linear arithmetic constraints to automata
Automata-Based Representations
• [Klarlund et al.] – MONA, an automata manipulation tool for verification
• [Boudet Comon] – Translating linear arithmetic constraints to automata
• [Wolper and Boigelot ‘00] – verification using automata as a symbolic representation
• [Kukula et al. 98] – application of automata based verification to hardware
verification
Combining Symbolic Representations
• [Chan et al. CAV’97]
– both linear and non-linear constraints are mapped to BDDs
– Only data-memoryless and data-invariant transitions are supported
• [Bharadwaj and Sims TACAS’00]
– Combines automata based representations (for linear arithmetic constraints) with BDDs
– Specialized for inductive invariant checking• [Bensalem et al. 00]
– Symbolic Analysis Laboratory– Designed a specification language that allows integration
of different verification tools
Model Checking Programs
• Verisoft from Bell Labs [Godefroid POPL 97]
– C programs, handles concurrency, bounded search, bounded recursion, stateless search
• Java Path Finder (JPF) at NASA Ames [Havelund, Visser]
– Explicit state model checking for Java programs, bounded search, bounded recursion, handles concurrency
• SLAM project at Microsoft Research[Ball, Rajamani et al. SPIN 00, PLDI 01]
– Symbolic model checking for C programs, unbounded recursion, no concurrency
– Uses predicate abstraction [Saidi, Graf 97] and BDDs • BANDERA: A tool for extracting finite state models from
programs [Dwyer, Hatcliff et al ICSE 00, 01]
Outline
• Difficulties in concurrent programming • A short history of model checking
– 5 key ideas + 2 key tools• Action Language• Composite Symbolic Library• Application to concurrency controllers• Application to concurrent linked lists• Related work• Current and future work
Current and Future Work
• Automata representation for linear arithmetic constraints
• Interface based specification and verification of concurrency controllers
• Specification and verification of web services
Automata Representation for Arithmetic Constraints
[Bartzis, Bultan, CIAA 02], [Bartzis, Bultan, IJFCS]
[Bartzis, Bultan TACAS 03], [Bartzis, Bultan CAV 03]
• Given a linear arithmetic formula construct a deterministic finite automaton that accepts the integers that satisfy the formula.
• Used MONA package• Complexity results
-2 -1 1 0
sink
0 10, 0
00
0 11, 1
0 10, 0
0 11, 1
0 0 1 10, 1, 0, 1
01
01
10
001
1
11
10
A finite automaton for2x - 3y = 2
Concurrency Controllers and Interfaces
[Betin-Can, Bultan SoftMC 03]• Concurrency Controller
– Behavior: How do the shared variables change– Interface: In which order are the methods invoked
• Separate Verification– Behavior verification
• Action Language Verifier – Interface verification
• Java PathFinder • A modular approach
– Build complex concurrency controllers by composing interfaces
Example Interface
reqLand
exitRW3crossRW3
park2
reqTakeOff
leave
exitRW4
exitRW5
exitRW6
exitRW7
exitRW8
crossRW5
crossRW6
crossRW7
crossRW8
crossRW4
park11
park10
park9
park7
Verification of Web Services
[Fu, Bultan, Hull, Su TACAS 01, WES 02], [Bultan,Fu,Hull, Su WWW 03], [Fu, Bultan, Su CIAA 03]
• Verification of Vortex workflows using SMV and Action Language Verifier
• A top-down approach to specification and verification of composite web services– Specify the composite web service as a conversation
protocol– Generate peer specifications from the conversation
protocol• Realizability conditions
• Working on the application of this framework to BPEL
ConversationProtocol
AB:msg1
BA:msg2
BC:msg3 C B:msg4
BC:msg5
G(msg1 F(msg3 msg5))? LTL property
Model Checking
!msg1
?msg2
Peer A?msg1
!msg2
!msg5
!msg3
?msg4
Peer B
?msg3
!msg4
Peer C
Peer A Peer B Peer C
msg1
msg2,msg6
msg3,msg5
msg4
ConversationSchema
Peer Synthesis
InputQueue
...Virtual Watcher
?msg6
BA:msg6
!msg6
?msg5
The End