An Abstraction Technique for Describing Concurrent Program Behaviour
|
|
- Russell White
- 5 years ago
- Views:
Transcription
1 An Abstraction Technique for Describing Concurrent Program Behaviour Wytse Oortwijn (joint with Stefan Blom and Marieke Huisman) Formal Methods and Tools, University of Twente September 19, 2017 Wytse Oortwijn, UTwente Verifying Model Abstractions 1 / 21
2 Outline 1 Introduction 2 Approach 3 Distributed programs 4 Conclusion Wytse Oortwijn, UTwente Verifying Model Abstractions 2 / 21
3 Outline 1 Introduction 2 Approach 3 Distributed programs 4 Conclusion Wytse Oortwijn, UTwente Verifying Model Abstractions 3 / 21
4 Introduction Approach Distributed programs Concurrent programming is error-prone THERAC-25 Wytse Oortwijn, UTwente Verifying Model Abstractions 4 / 21 Conclusion
5 Introduction Approach Distributed programs Concurrent programming is error-prone THERAC-25 Wytse Oortwijn, UTwente Intel TSX Verifying Model Abstractions 4 / 21 Conclusion
6 Introduction Approach Distributed programs Concurrent programming is error-prone THERAC-25 Intel TSX Toyota car acceleration Wytse Oortwijn, UTwente Verifying Model Abstractions 4 / 21 Conclusion
7 Introduction Approach Distributed programs Concurrent programming is error-prone THERAC-25 Intel TSX Toyota car acceleration Mars climate orbiter Wytse Oortwijn, UTwente Verifying Model Abstractions 4 / 21 Conclusion
8 Introduction Approach Distributed programs Concurrent system behaviour Single traffic light only a few possible behaviours: red, orange, and green Wytse Oortwijn, UTwente Verifying Model Abstractions 5 / 21 Conclusion
9 Introduction Approach Distributed programs Concurrent system behaviour Single traffic light Multiple traffic lights only a few possible behaviours: red, orange, and green the number of possible behaviours is exponential in the number of lights Wytse Oortwijn, UTwente Verifying Model Abstractions 5 / 21 Conclusion
10 Static verification: deductive verification void main(args) { S 1 S 2; How to verify a concurrent program? Wytse Oortwijn, UTwente Verifying Model Abstractions 6 / 21
11 Static verification: deductive verification void main(args) { S 1 S 2; {P 1 S 1 {Q 1 {P 2 S 2 {Q 2 {P 1 P 2 S 1 S 2 {Q 1 Q 2 {P 1 P 2 main(args) {Q 1 Q 2 How to verify a concurrent program? Using program logics, like: Hoare logic, separation logic, etc. Wytse Oortwijn, UTwente Verifying Model Abstractions 6 / 21
12 Static verification: deductive verification requires P 1 P 2; ensures Q 1 Q 2; void main(args) { S 1 S 2; {P 1 S 1 {Q 1 {P 2 S 2 {Q 2 {P 1 P 2 S 1 S 2 {Q 1 Q 2 {P 1 P 2 main(args) {Q 1 Q 2 How to verify a concurrent program? (using automated tools) Using program logics, like: Hoare logic, separation logic, etc. Wytse Oortwijn, UTwente Verifying Model Abstractions 6 / 21
13 Static verification: deductive verification requires P 1 P 2; ensures Q 1 Q 2; void main(args) { S 1 S 2; {P 1 S 1 {Q 1 {P 2 S 2 {Q 2 {P 1 P 2 S 1 S 2 {Q 1 Q 2 {P 1 P 2 main(args) {Q 1 Q 2 How to verify a concurrent program? (using automated tools) Using program logics, like: Hoare logic, separation logic, etc. Strong correctness guarantees Wytse Oortwijn, UTwente Verifying Model Abstractions 6 / 21
14 Static verification: deductive verification requires P 1 P 2; ensures Q 1 Q 2; void main(args) { S 1 S 2; {P 1 S 1 {Q 1 {P 2 S 2 {Q 2 {P 1 P 2 S 1 S 2 {Q 1 Q 2 {P 1 P 2 main(args) {Q 1 Q 2 How to verify a concurrent program? (using automated tools) Using program logics, like: Hoare logic, separation logic, etc. Hard to construct a proof Wytse Oortwijn, UTwente Verifying Model Abstractions 6 / 21
15 Static verification: model checking void main(args) { S 1 S 2;
16 Static verification: model checking void main(args) { S 1 S 2; Abstract model capturing program behaviour
17 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour
18 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour Model checker algorithmic analysis
19 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour input Model checker algorithmic analysis
20 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour input Temporal properties LTL, CTL, etc. Model checker algorithmic analysis
21 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis Wytse Oortwijn, UTwente Verifying Model Abstractions 7 / 21
22 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis Good automation Wytse Oortwijn, UTwente Verifying Model Abstractions 7 / 21
23 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis State-space explosion problems Wytse Oortwijn, UTwente Verifying Model Abstractions 7 / 21
24 Static verification: model checking void main(args) { S 1 S 2; abstraction Abstract model capturing program behaviour input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis Is the program abstraction correct? Wytse Oortwijn, UTwente Verifying Model Abstractions 7 / 21
25 Outline 1 Introduction 2 Approach 3 Distributed programs 4 Conclusion Wytse Oortwijn, UTwente Verifying Model Abstractions 8 / 21
26 Our approach: deducative + algorithmic verification void main(args) { S 1 S 2 ; abstraction Abstract model capturing program behaviour input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis Wytse Oortwijn, UTwente Verifying Model Abstractions 9 / 21
27 Our approach: deducative + algorithmic verification void main(args) { S 1 S 2 ; abstraction Process algebras input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis Abstract models are process algebra terms Wytse Oortwijn, UTwente Verifying Model Abstractions 9 / 21
28 Our approach: deducative + algorithmic verification requires Process(P); ensures Process(ε); void main(args) { S 1 S 2 ; abstraction Process algebras input Temporal properties LTL, CTL, etc. input Model checker algorithmic analysis Deductively verifying correctness of the abstraction Wytse Oortwijn, UTwente Verifying Model Abstractions 9 / 21
29 Our approach: deducative + algorithmic verification requires Process(P); ensures Process(ε); void main(args) { S 1 S 2 ; abstraction Process algebras with action contracts input Model checker algorithmic analysis The properties are encoded as process/action contracts Wytse Oortwijn, UTwente Verifying Model Abstractions 9 / 21
30 Our approach: deducative + algorithmic verification requires Process(P); ensures Process(ε) Res; void main(args) { S 1 S 2 ; abstraction Process algebras with action contracts results input Model checker algorithmic analysis Applying model checking result in the program logic Wytse Oortwijn, UTwente Verifying Model Abstractions 9 / 21
31 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
32 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; ensures c.val = old(c.val) + 2; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); How to verify this property? Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
33 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); action incr; The incr action abstracts the atomic-add s. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
34 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); action incr; process parincr() := incr incr; The parincr process abstracts the add2 program. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
35 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); guard true; effect x = old(x) + 1; action incr; process parincr() := incr incr; Contracts are used to encode the properties of interest. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
36 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); guard true; effect x = old(x) + 1; action incr; requires true; ensures x = old(x) + 2; process parincr() := incr incr; Contracts are used to encode the properties of interest. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
37 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; requires Process(parincr); requires c.val x; static void add2(counter c) { parallel { atomic-add(c.val, 1); and { atomic-add(c.val, 1); guard true; effect x = old(x) + 1; action incr; requires true; ensures x = old(x) + 2; process parincr() := incr incr; Linking concrete program to abstract model. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
38 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; requires Process(parincr); requires c.val x; static void add2(counter c) { parallel { act incr do atomic-add(c.val, 1); and { act incr do atomic-add(c.val, 1); guard true; effect x = old(x) + 1; action incr; requires true; ensures x = old(x) + 2; process parincr() := incr incr; Linking abstract actions to concrete implementation. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
39 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; requires Process(parincr); requires c.val x; ensures Process(ε); static void add2(counter c) { parallel { act incr do atomic-add(c.val, 1); and { act incr do atomic-add(c.val, 1); guard true; effect x = old(x) + 1; action incr; requires true; ensures x = old(x) + 2; process parincr() := incr incr; Linking concrete program to abstract model. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
40 Example program: concurrent counting Concrete program Program abstraction class Counter { public int val; requires Process(parincr); requires c.val x; ensures Process(ε); ensures c.val = old(c.val) + 2; static void add2(counter c) { parallel { act incr do atomic-add(c.val, 1); and { act incr do atomic-add(c.val, 1); guard true; effect x = old(x) + 1; action incr; requires true; ensures x = old(x) + 2; process parincr() := incr incr; Using the result from analyzing all traces of parincr. Wytse Oortwijn, UTwente Verifying Model Abstractions 10 / 21
41 Model abstractions: theory Formalised using the Coq proof assistant (see our VSTTE2017 paper for more details) Wytse Oortwijn, UTwente Verifying Model Abstractions 11 / 21
42 Model abstractions: tool support As extension to the VerCors verification tool set (see our ifm2017 paper+talk for more details) Wytse Oortwijn, UTwente Verifying Model Abstractions 12 / 21
43 The VerCors verification tool set OpenCL OpenMP VerCors Tool Viper Silver PVL Java Common Object Language Silicon Z3 VerCors can be tried and downloaded via Wytse Oortwijn, UTwente Verifying Model Abstractions 13 / 21
44 Model abstractions: verified examples 1 Concurrent counting: verifying that a concurrent counter computes the correct result. 2 No-send-after-read: verifying that confidential data can not be send after being received. 3 Parallel GCD: verifying that a parallel GCD algorithm computes the correct result (VSTTE2017). 4 Locking protocol: verifying that a lock implementation adheres to the intended locking protocol. Wytse Oortwijn, UTwente Verifying Model Abstractions 14 / 21
45 Outline 1 Introduction 2 Approach 3 Distributed programs 4 Conclusion Wytse Oortwijn, UTwente Verifying Model Abstractions 15 / 21
46 Message Passing Interface (MPI) MPI primitives MPI Send(i, m) - sending a message m to process i; m := MPI Send(i) - receiving a message m from process i; MPI Bcast(m) - broadcasting a message m to every process, etc. Wytse Oortwijn, UTwente Verifying Model Abstractions 16 / 21
47 Message Passing Interface (MPI) MPI primitives MPI Send(i, m) - sending a message m to process i; m := MPI Send(i) - receiving a message m from process i; MPI Bcast(m) - broadcasting a message m to every process, etc. Challenges Message exchanges are concurrent; Number of processes often unknown; and Number of possible behaviours often unbounded Wytse Oortwijn, UTwente Verifying Model Abstractions 16 / 21
48 Modeling MPI primitives Abstracting MPI primitives MPI Send(i, m); action send(i, m); m := MPI Send(i); action recv(i, m); MPI Bcast(m); action bcast(m); MPI Barrier(); action barrier; Wytse Oortwijn, UTwente Verifying Model Abstractions 17 / 21
49 Modeling MPI primitives Abstracting MPI primitives MPI Send(i, m); action send(i, m); m := MPI Send(i); action recv(i, m); MPI Bcast(m); action bcast(m); MPI Barrier(); action barrier; Introducing Hoare logic axioms {send(i, m) P MPI Send(i, m) {P {recv(i, m) P m := MPI Recv(i) {P Wytse Oortwijn, UTwente Verifying Model Abstractions 17 / 21
50 Linking abstractions to MPI programs MPI program void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
51 Linking abstractions to MPI programs MPI program void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
52 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
53 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
54 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Does the program correctly execute its abstraction? Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
55 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { {P(k) ɛ int v := MPI Recv( ); MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Does the program correctly execute its abstraction? Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
56 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { {P(k) ɛ {Σ i:int recv(, i) send(0, i +k) ɛ int v := MPI Recv( ); MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Does the program correctly execute its abstraction? Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
57 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { {P(k) ɛ {Σ i:int recv(, i) send(0, i +k) ɛ int v := MPI Recv( ); {send(0, v + k) ɛ MPI Send(0, v + k); Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Does the program correctly execute its abstraction? Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
58 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { {P(k) ɛ {Σ i:int recv(, i) send(0, i +k) ɛ int v := MPI Recv( ); {send(0, v + k) ɛ MPI Send(0, v + k); {ε Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Does the program correctly execute its abstraction? Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
59 Linking abstractions to MPI programs MPI program requires Process(p(k) ɛ); ensures Process(ε); void main(int k) { {P(k) ɛ {Σ i:int recv(, i) send(0, i +k) ɛ int v := MPI Recv( ); {send(0, v + k) ɛ MPI Send(0, v + k); {ε Program abstraction process p(int k) := Σ i:int recv(, i) send(0, i + k) Does the program correctly execute its abstraction? Yes! Wytse Oortwijn, UTwente Verifying Model Abstractions 18 / 21
60 Toolchain overview requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k);
61 Toolchain overview requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1
62 Toolchain overview process p(int k) := Σ i:int recv(, i) send(0, i + k); 2 requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1
63 Toolchain overview process p(int k) := Σ i:int recv(, i) send(0, i + k); 2 requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1 3 Verdict Does the program correctly executes its abstraction? Hoare logic reasoning
64 Toolchain overview process p(int k) := Σ i:int recv(, i) send(0, i + k); 2 requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1 3 Verdict Does the program correctly executes its abstraction? Hoare logic reasoning P(k 1 ) P(k 2 ) MPI
65 Toolchain overview process p(int k) := Σ i:int recv(, i) send(0, i + k); 2 requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1 3 Verdict Does the program correctly executes its abstraction? Hoare logic reasoning P(k 1 ) P(k 2 ) MPI 4
66 Toolchain overview process p(int k) := Σ i:int recv(, i) send(0, i + k); 2 requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1 3 Verdict Does the program correctly executes its abstraction? Hoare logic reasoning 5 P(k 1 ) P(k 2 ) MPI 4
67 Toolchain overview process p(int k) := Σ i:int recv(, i) send(0, i + k); 2 requires Process(p(k) P); ensures Process(P); void main(int k) { int v := MPI Recv( ); MPI Send(0, v + k); 1 3 Verdict Does the program correctly executes its abstraction? Hoare logic reasoning 5 6 P(k 1 ) P(k 2 ) MPI 4 Final verdict Either pass or fail Wytse Oortwijn, UTwente Verifying Model Abstractions 19 / 21
68 Outline 1 Introduction 2 Approach 3 Distributed programs 4 Conclusion Wytse Oortwijn, UTwente Verifying Model Abstractions 20 / 21
69 Conclusion VerCors verification tool set Automated verification of parallel and concurrent software More information: Download & try: Wytse Oortwijn, UTwente Verifying Model Abstractions 21 / 21
A VERIFICATION TECHNIQUE FOR DETERMINISTIC PARALLEL PROGRAMS
A VERIFICATION TECHNIQUE FOR DETERMINISTIC PARALLEL PROGRAMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS JOINT WORK WITH SAEED DARABI AND STEFAN BLOM THE CHALLENGE OF RELIABLE SOFTWARE ICT problems
More informationViper A Verification Infrastructure for Permission-Based Reasoning
Viper A Verification Infrastructure for Permission-Based Reasoning Alex Summers, ETH Zurich Joint work with Uri Juhasz, Ioannis Kassios, Peter Müller, Milos Novacek, Malte Schwerhoff (and many students)
More informationVERIFICATION OF SHARED-READING SYNCHRONISERS
VERIFICATION OF SHARED-READING SYNCHRONISERS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS JOINT WORK WITH AFSHIN AMIGHI AND STEFAN BLOM SOFTWARE RELIABILITY All software has errors! Software failures
More informationImproving the Definition of UML
Improving the Definition of UML Greg O Keefe Computer Sciences Laboratory Australian National University Outline The UML definition claims to be Outline The UML definition claims to be precise Outline
More informationIntroduction & Formal Methods
Introduction & Formal Methods http://d3s.mff.cuni.cz Jan Kofroň CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Introduction to dependable systems NSWE 002 What you learn: Dependable systems
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationSoftware Engineering using Formal Methods
Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt 03 September 2015 SEFM: Promela /GU 150903 1 / 36 Towards Model Checking System Model Promela Program byte n = 0; active
More informationWitnessing the elimination of magic wands
Int J Softw Tools Technol Transfer (2015) 17:757 781 DOI 10.1007/s10009-015-0372-3 VERIFYTHIS 2012 Witnessing the elimination of magic wands Stefan Blom Marieke Huisman Published online: 31 March 2015
More informationDistributed Binary Decision Diagrams for Symbolic Reachability
Distributed Binary Decision Diagrams for Symbolic Reachability Wytse Oortwijn Formal Methods and Tools, University of Twente November 1, 2015 Wytse Oortwijn (Formal Methods and Tools, Distributed University
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationConcurrent library abstraction without information hiding
Universidad Politécnica de Madrid Escuela técnica superior de ingenieros informáticos Concurrent library abstraction without information hiding Artem Khyzha Advised by Manuel Carro and Alexey Gotsman Madrid
More informationConcurrency. State Models and Java Programs. Jeff Magee and Jeff Kramer. Concurrency: introduction 1. Magee/Kramer
Concurrency State Models and Java Programs Jeff Magee and Jeff Kramer Concurrency: introduction 1 What is a Concurrent Program? A sequential program has a single thread of control. A concurrent program
More informationRuntime Permission Checking in Concurrent Java Programs
Master s Thesis Runtime Permission Checking in Concurrent Java Programs Author: Stijn Gijsen Supervisor: prof.dr. M. Huisman Committee: dr. C.M. Bockisch dr. S.C.C. Blom A thesis submitted in fulfilment
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationFormal Specification and Verification
Formal Specification and Verification Introduction to Promela Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification and Verification:
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationSoftware Engineering using Formal Methods
Software Engineering using Formal Methods Introduction to Promela Wolfgang Ahrendt & Richard Bubel & Reiner Hähnle & Wojciech Mostowski 31 August 2011 SEFM: Promela /GU 110831 1 / 35 Towards Model Checking
More informationSimGrid MC 101. Getting Started with the SimGrid Model-Checker. Da SimGrid Team. April 11, 2017
SimGrid MC 101 Getting Started with the SimGrid Model-Checker Da SimGrid Team April 11, 2017 About this Presentation Goals and Contents Understanding the basics of Model checking Running SimGrid as a Model
More informationDesign and Analysis of Distributed Interacting Systems
Design and Analysis of Distributed Interacting Systems Lecture 5 Linear Temporal Logic (cont.) Prof. Dr. Joel Greenyer May 2, 2013 (Last Time:) LTL Semantics (Informally) LTL Formulae are interpreted on
More informationWarm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.
Warm-Up Problem Let be a set of well-formed Predicate logic formulas Let be well-formed Predicate logic formulas Prove or disprove the following If then 1/35 Program Verification Carmen Bruni Lecture 18
More informationLecture 1: Model Checking. Edmund Clarke School of Computer Science Carnegie Mellon University
Lecture 1: Model Checking Edmund Clarke School of Computer Science Carnegie Mellon University 1 Cost of Software Errors June 2002 Software bugs, or errors, are so prevalent and so detrimental that they
More informationRuntime assertion checking of multithreaded Java programs
Master Thesis Runtime assertion checking of multithreaded Java programs An extension of the STROBE framework Author: Jorne Kandziora Supervisors: dr. M. Huisman dr. C.M. Bockisch M. Zaharieva-Stojanovski,
More informationModel checking Timber program. Paweł Pietrzak
Model checking Timber program Paweł Pietrzak 1 Outline Background on model checking (spam?) The SPIN model checker An exercise in SPIN - model checking Timber Deriving finite models from Timber programs
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State of Baden-Württemberg
More informationAn Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor
An Overview of the DE Hardware Description Language and Its Application in Formal Verification of the FM9001 Microprocessor Cuong Chau ckcuong@cs.utexas.edu Department of Computer Science The University
More informationLecture Notes on Session Types
Lecture Notes on Session Types 15-814: Types and Programming Languages Frank Pfenning Lecture 22 November 27, 2018 1 Introduction Some of the material in this lecture, specifically, the discussion of external
More informationLecture 8: September 30
CMPSCI 377 Operating Systems Fall 2013 Lecture 8: September 30 Lecturer: Prashant Shenoy Scribe: Armand Halbert 8.1 Semaphores A semaphore is a more generalized form of a lock that can be used to regulate
More informationBehavioural Equivalences and Abstraction Techniques. Natalia Sidorova
Behavioural Equivalences and Abstraction Techniques Natalia Sidorova Part 1: Behavioural Equivalences p. p. The elevator example once more How to compare this elevator model with some other? The cabin
More informationFormal Methods in Software Development
Formal Methods in Software Development Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Prof. Dr. Bernhard Beckert Dr. Vladimir Klebanov SS 2012 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationLecture 2. Decidability and Verification
Lecture 2. Decidability and Verification model temporal property Model Checker yes error-trace Advantages Automated formal verification, Effective debugging tool Moderate industrial success In-house groups:
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationCLAN: A Tool for Contract Analysis and Conflict Discovery
CLAN: A Tool for Contract Analysis and Conflict Discovery Stephen Fenech 1, Gordon J. Pace 1, and Gerardo Schneider 2 1 Dept. of Computer Science, University of Malta, Malta 2 Dept. of Informatics, University
More informationImproving the Practicality of Transactional Memory
Improving the Practicality of Transactional Memory Woongki Baek Electrical Engineering Stanford University Programming Multiprocessors Multiprocessor systems are now everywhere From embedded to datacenter
More informationThe UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN
The UPPAAL Model Checker Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN The aim of this presentation Introduce the basic concepts of model checking from a practical perspective Describe
More informationTechniques for the unambiguous specification of software
Formal Techniques for the unambiguous of software Objectives To explain why formal techniques help discover problems in system requirements To describe the use of algebraic techniques for interface To
More informationApplications of Formal Verification
Applications of Formal Verification Model Checking: Introduction to PROMELA Prof. Dr. Bernhard Beckert Dr. Vladimir Klebanov SS 2010 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationLindsay Groves, Simon Doherty. Mark Moir, Victor Luchangco
Lindsay Groves, Simon Doherty Victoria University of Wellington Mark Moir, Victor Luchangco Sun Microsystems, Boston (FORTE, Madrid, September, 2004) Lock-based concurrency doesn t scale Lock-free/non-blocking
More informationSpecifying Concurrent Programs: a case study in JML and Separation Logic
Specifying Concurrent Programs: a case study in JML and Separation Logic Martijn Roo University of Twente The Netherlands m.j.roo@student.utwente.nl ABSTRACT This paper presents a case study for the verification
More informationFormal Methods for Software Development
Formal Methods for Software Development Verification with Spin Wolfgang Ahrendt 07 September 2018 FMSD: Spin /GU 180907 1 / 34 Spin: Previous Lecture vs. This Lecture Previous lecture Spin appeared as
More informationIndistinguishability: Friend and Foe of Concurrent Data Structures. Hagit Attiya CS, Technion
Indistinguishability: Friend and Foe of Concurrent Data Structures Hagit Attiya CS, Technion Uncertainty is a main obstacle for designing correct applications in concurrent systems Formally captured by
More information15-819M: Data, Code, Decisions
15-819M: Data, Code, Decisions 08: First-Order Logic André Platzer aplatzer@cs.cmu.edu Carnegie Mellon University, Pittsburgh, PA André Platzer (CMU) 15-819M/08: Data, Code, Decisions 1 / 40 Outline 1
More informationIntegrating Arrays into the Heap-Hop program prover
Integrating Arrays into the Heap-Hop program prover Ioana Cristescu under the supervision of Jules Villard Queen Mary University of London 7 September 2011 1 / 29 Program verification using Heap-Hop Program
More informationModel Checking with Automata An Overview
Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1 Contents Motivation Overview Software Verification Techniques
More informationUniLFS: A Unifying Logical Framework for Service Modeling and Contracting
UniLFS: A Unifying Logical Framework for Service Modeling and Contracting RuleML 2103: 7th International Web Rule Symposium July 11-13, 2013 Dumitru Roman 1 and Michael Kifer 2 1 SINTEF / University of
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationSpecification of a transacted memory for smart cards in Java and JML
Specification of a transacted memory for smart cards in Java and JML Erik Poll University of Nijmegen, NL Pieter Hartel Eduard de Jong Joint work with University of Twente Sun Microsystems Transacted Memory
More informationWeak Memory Models: an Operational Theory
Opening Weak Memory Models: an Operational Theory INRIA Sophia Antipolis 9th June 2008 Background on weak memory models Memory models, what are they good for? Hardware optimizations Contract between hardware
More informationThreaded Programming. Lecture 9: Alternatives to OpenMP
Threaded Programming Lecture 9: Alternatives to OpenMP What s wrong with OpenMP? OpenMP is designed for programs where you want a fixed number of threads, and you always want the threads to be consuming
More informationModel Checking. Dragana Cvijanovic
Model Checking Dragana Cvijanovic d.cvijanovic@cs.ucl.ac.uk 1 Introduction Computerised systems pervade more and more our everyday lives. Digital technology is now used to supervise critical functions
More informationSchool of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne
Principles of Dependable Systems Building Reliable Software School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne Winter 2006-2007 Outline Class Projects: mtgs next week
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
T-79.5305 Formal Methods (4 ECTS) T-79.5305 Formaalit menetelmät (4 op) 2006-09-13 Tommi Junttila, Keijo Heljanko, Ilkka Niemelä, and Heikki Tauriainen T-79.5305 Formal Methods, Autumn 2006 1/27 T-79.5305
More informationIntroduction to Model Checking
Introduction to Model Checking René Thiemann Institute of Computer Science University of Innsbruck WS 2007/2008 RT (ICS @ UIBK) week 4 1/23 Outline Promela - Syntax and Intuitive Meaning Promela - Formal
More informationVerification and Validation
2014-2015 Verification and Validation Part I : Extended Static Analysis Burkhart Wolff Département Informatique Université Paris-Sud / Orsay Static Analysis! We have seen test methods, and proof methods.
More informationCompositional Software Model Checking
Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory October 18, 2002 Outline of talk program verification issues the semantic challenge programming languages the logical
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationCertified Memory Usage Analysis
Certified Memory Usage Analysis David Cachera, Thomas Jensen, David Pichardie, Gerardo Schneider IRISA, ENS Cachan Bretagne, France Context Embedded devices (smart cards, mobile phones) memory is limited
More informationLecture 5 - Axiomatic semantics
Program Verification March 2014 Lecture 5 - Axiomatic semantics Lecturer: Noam Rinetzky Scribes by: Nir Hemed 1.1 Axiomatic semantics The development of the theory is contributed to Robert Floyd, C.A.R
More informationAoraï Plugin Tutorial
Aoraï Plugin Tutorial (A.k.a. LTL to ACSL) Nicolas Stouls and Virgile Prevosto Nicolas.Stouls@insa-lyon.fr,virgile.prevosto@cea.fr October 31, 2017 Foreword Aoraï is a Frama-C plugin that provides a method
More informationSummary Semaphores. Passing the Baton any await statement. Synchronisation code not linked to the data
Lecture 4 Monitors Summary Semaphores Good news Simple, efficient, expressive Passing the Baton any await statement Bad news Low level, unstructured omit a V: deadlock omit a P: failure of mutex Synchronisation
More informationWritten Presentation: JoCaml, a Language for Concurrent Distributed and Mobile Programming
Written Presentation: JoCaml, a Language for Concurrent Distributed and Mobile Programming Nicolas Bettenburg 1 Universitaet des Saarlandes, D-66041 Saarbruecken, nicbet@studcs.uni-sb.de Abstract. As traditional
More informationThe University of Iowa Fall CS:5810 Formal Methods in Software Engineering. Introduction
The University of Iowa Fall 2017 CS:5810 Formal Methods in Software Engineering Introduction Copyright 2017, Cesare Tinelli, Pierre-Loïc Garoche, Reiner Hänle, Steven Miller These notes are copyrighted
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationFrom Event-B Models to Dafny Code Contracts
From Event-B Models to Dafny Code Contracts Mohammadsadegh Dalvandi, Michael Butler, Abdolbaghi Rezazadeh Electronic and Computer Science School, University of Southampton Southampton, United Kingdom {md5g11,mjb,ra3}@ecs.soton.ac.uk
More informationProperty Specifications
Property Specifications Jim Browne Table of Contents Overview Temporal Logics Specification Patterns The major part of this lecture is taken from slides by David Garlan 9/4/2008 Unification of Verification
More informationProcesses & Threads. Concepts: processes - units of sequential execution.
Chapter 2 Processes & Threads concurrent processes We structure complex systems as sets of simpler activities, each represented as a sequential process. Processes can overlap or be concurrent, so as to
More informationChapter 2. Processes & Threads. Concurrency: processes & threads 1. Magee/Kramer
Chapter 2 Processes & Threads Concurrency: processes & threads 1 concurrent processes We structure complex systems as sets of simpler activities, each represented as a sequential process. Processes can
More informationWitnessing the Elimination of Magic Wands
Witnessing the Elimination of Magic Wands Stefan Blom and Marieke Huisman University of Twente November 8, 2013 Abstract. This paper discusses the use and verification of magic wands. Magic wands are used
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationAdvances in Programming Languages
O T Y H Advances in Programming Languages APL8: ESC/Java2 David Aspinall (including slides by Ian Stark and material adapted from ESC/Java2 tutorial by David Cok, Joe Kiniry and Erik Poll) School of Informatics
More informationAoraï Plugin Tutorial
Aoraï Plugin Tutorial (A.k.a. LTL to ACSL) Nicolas Stouls and Virgile Prevosto Nicolas.Stouls@insa-lyon.fr,virgile.prevosto@cea.fr October 7, 2011 Foreword Aoraï is a Frama-C plugin that provides a method
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationVerification and Validation
Cycle Ingénieur 2 ème année Département Informatique Verification and Validation Part IV : Proof-based Verification (I) Burkhart Wolff Département Informatique Université Paris-Sud / Orsay 2013-2014 What
More informationVerification and Validation
2017-2018 Cycle Ingénieur 2 ème année Département Informatique Verification and Validation Part IV : Proof-based Verification (I) Burkhart Wolff Département Informatique Université Paris-Sud / Orsay Difference
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationPostprint.
http://www.diva-portal.org Postprint This is the accepted version of a paper presented at 7th International Conference, VSTTE 2015, San Francisco, CA, USA, July 18-19, 2015. Citation for the original published
More informationPromela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN
Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH Promela and SPIN Promela (Protocol Meta Language): Language for modelling discrete, event-driven
More informationSuggested Solutions (Midterm Exam October 27, 2005)
Suggested Solutions (Midterm Exam October 27, 2005) 1 Short Questions (4 points) Answer the following questions (True or False). Use exactly one sentence to describe why you choose your answer. Without
More informationBandera: Extracting Finite-state Models from Java Source Code
Bandera: Extracting Finite-state Models from Java Source Code James C. Corbet Matthew B. Dwyer John Hatcliff Shawn Laubach Corina S. Păsăreanu Robby Hongjun Zheng Presenter: Henrik Kragh-Hansen October
More informationAlgebraic specification and verification with CafeOBJ Part 1 Introduction
Algebraic specification and verification with CafeOBJ Part 1 Introduction Norbert Preining ESSLLI 2016 Bozen, August 2016 Algebraic specification and verification with CafeOBJ [5pt]Part 1 Introduction
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationhijac UTP Semantics for Safety-Critical Java University of York hijac Workshop 15 November 2011
UTP Semantics for Safety-Critical Java University of York Workshop 15 November 2011 1 / 27 Outline 1 Unifying Theories of Programming 2 SCJ-Circus 3 UTP SCJ Memory Model 4 COMPASS 5 Conclusions 2 / 27
More informationAutomated Software Synthesis for Complex Robotic Systems
Automated Software Synthesis for Complex Robotic Systems Indranil Saha Department of Computer Science and Engineering Indian Institute of Technology Kanpur Indranil Saha Automated Software Synthesis for
More informationMTV: METHODS & TOOLS 4 VERIFICATION MASTER COMPUTER SCIENCE MARIEKE HUISMAN: STUDY ADVISOR MY NAME: JACO VAN DE POL
MTV: METHODS & TOOLS 4 VERIFICATION MASTER COMPUTER SCIENCE MARIEKE HUISMAN: STUDY ADVISOR MY NAME: JACO VAN DE POL OVERVIEW Motivation Program Tools and Techniques Why choose MTV? (or avoid it) MoTiVation:
More informationA Distributed Hash Table for Shared Memory
A Distributed Hash Table for Shared Memory Wytse Oortwijn Formal Methods and Tools, University of Twente August 31, 2015 Wytse Oortwijn (Formal Methods and Tools, AUniversity Distributed of Twente) Hash
More informationTeaching Principles of Dependable Distributed Software
Teaching Principles of Dependable Distributed Software Zoltán Horváth hz@inf.elte.hu Faculty of Informatics, Eötvös Loránd University, Budapest 14th Workshop on Software Engineering Education and Reverse
More informationAlgorithmic Verification of Procedural Programs in the Presence of Code Variability
Algorithmic Verification of Procedural Programs in the Presence of Code Variability Siavash Soleimanifard School of Computer Science and Communication KTH Royal Institute of Technology Stockholm Doctoral
More information6. Hoare Logic and Weakest Preconditions
6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Report Documentation Page Form Approved OMB No. 0704-0188
More informationIntroduction to Embedded Systems
Introduction to Embedded Systems Sanjit A. Seshia UC Berkeley EECS 149/249A Fall 2015 2008-2015: E. A. Lee, A. L. Sangiovanni-Vincentelli, S. A. Seshia. All rights reserved. Chapter 3: Discrete Dynamics,
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More informationViper: A Verification Infrastructure for Permission-Based Reasoning
Viper: A Verification Infrastructure for Permission-Based Reasoning Peter Müller, Malte Schwerhoff, and Alexander J. Summers Department of Computer Science, ETH Zurich, Switzerland {peter.mueller, malte.schwerhoff,
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationProof-by-Instance for Embedded Network Design From Prototype to Tool Roadmap. Marc Boyer, Loïc Fejoz. 1, Stephan Merz 3
Proof-by-Instance for Embedded Network Design From Prototype to Tool Roadmap 2 Marc Boyer, Loïc Fejoz 1 1, Stephan Merz 3 RealTime at Work, Nancy, France 2 ONERA The French aerospace Lab, 3 Inria & LORIA,
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationThe GROOVE Simulator: A Tool for State Space Generation
Presented at AGTIVE, September 2003, Charlottesville, Virginia. To appear in Lecture Notes in Computer Science, Springer-Verlag. The GROOVE Simulator: A Tool for State Space Generation Arend Rensink University
More information