State of art and challenges in deductive verification of concurrent programs with cooperative scheduling

Similar documents
History-Based Specification and Verification of Scalable Concurrent and Distributed Systems

Cover Page. The handle holds various files of this Leiden University dissertation

Fundamentals of Software Engineering

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Fault in the Future. Ivan Lanese Computer Science Department University of Bologna/INRIA Italy

Verification of Asynchronously Communicating Objects. Crystal Chang Din

Fundamentals of Software Engineering

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Software Engineering using Formal Methods

Softwaretechnik. Lecture 03: Types and Type Soundness. Peter Thiemann. University of Freiburg, Germany SS 2008

Design and Analysis of Executable Software Models:

Formal Systems II: Applications

Analysis of Executable Software Models

Towards Combined Static and Runtime Verification of Distributed Software

Testing, Debugging, Program Verification

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Software Engineering using Formal Methods

SMT-LIB for HOL. Daniel Kroening Philipp Rümmer Georg Weissenbacher Oxford University Computing Laboratory. ITP Workshop MSR Cambridge 25 August 2009

Programming Embedded Systems

Formal Specification and Verification

An Introduction to Lustre

Asynchronous Models. Chapter Asynchronous Processes States, Inputs, and Outputs

Fundamentals of Software Engineering

From OCL to Propositional and First-order Logic: Part I

Introduction to Formal Methods

1. In waterfall model, output of one phase is input to next phase. True or false.

Cyber Physical System Verification with SAL

SACO: Static Analyzer for Concurrent Objects

Overview of the KeY System

Formal Methods for Software Development

A step towards reconciling GALS industrial design with formal verification

VeriCon: Towards Verifying Controller Programs in SDNs

Formal Specification and Verification

VS 3 : SMT Solvers for Program Verification

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

S2W: Verification using Small and Short Worlds

A Tutorial on Runtime Verification and Assurance. Ankush Desai EECS 219C

Software Model Checking. Xiangyu Zhang

Model Checking with Automata An Overview

Axiomatic Specification. Al-Said, Apcar, Jerejian

Sérgio Campos, Edmund Clarke

ECE 587 Hardware/Software Co-Design Lecture 12 Verification II, System Modeling

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Bounded Model Checking Of C Programs: CBMC Tool Overview

Design and Implementation of an Abstract Interpreter for VHDL

CS 510/13. Predicate Abstraction

Assignment #4: Lambda Calculus & Semi-automatic Program Verification. You are allowed to work on this assignment in pairs. Hand in Requirements:

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

The Systematic Generation of Channelling Constraints

Model-based Development of Web Services using Design-by-Contract

Software Engineering using Formal Methods

Distributed Systems Programming (F21DS1) Formal Verification

In Our Last Exciting Episode

XPath with transitive closure

A Verified Implementation of the Bounded List Container

Recap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany

Representing Swarm Behaviors

Formal Methods and their role in Software and System Development. Riccardo Sisto, Politecnico di Torino

Reasoning About Loops Using Vampire

GCLC A Tool for Constructive Euclidean Geometry and More than That

Why. an intermediate language for deductive program verification

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Handout 9: Imperative Programs and State

Analyzing Tabular Requirements Specifications Using Infinite State Model Checking

02157 Functional Programming. Michael R. Ha. Lecture 2: Functions, Types and Lists. Michael R. Hansen

6. Hoare Logic and Weakest Preconditions

On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Translation validation: from Simulink to C

An Evolution of Mathematical Tools

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

TLA+ TLC. Rui Fan Stanislav Funiac Mandana Vaziri. Presented by Spring 2001

Automatic Software Verification

Proving the Correctness of Distributed Algorithms using TLA

March 2, Homepage:

Variability Hiding in Contracts for Dependent Software Product Lines

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

A Hoare Logic for Concurrent Objects with Asynchronous Method Calls. Johan Dovland, Einar B. Johnsen, and Olaf Owe

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

OpenVera Assertions. March Synopsys, Inc.

Proof Pearl: The Termination Method of TERMINATOR

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Push-Button Verification of File Systems

Web Service Interfaces

Toward Architecture-based Reliability Estimation

Static Contract Checking for Haskell

Typed Lambda Calculus. Chapter 9 Benjamin Pierce Types and Programming Languages

State Identification In The Hybrid Automata Description Of Dynamical Systems

TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

Analyzing Tabular Requirements Specifications Using Infinite State Model Checking

Lecture 5 - Axiomatic semantics

Runtime Checking for Program Verification Systems

Model Checking VHDL with CV

Verifying Java Programs Verifying Java Programs with KeY

Towards the typing of resource deployment

Proofs and Proof Certification in the TLA + Proof System

Real Time & Embedded Systems. Final Exam - Review

15-819M: Data, Code, Decisions

A CRASH COURSE IN SEMANTICS

Transcription:

State of art and challenges in deductive verification of concurrent programs with cooperative scheduling Crystal Chang Din Software Engineering Group, TU Darmstadt, Germany 28.09.2015 http://www.envisage-project.eu Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 1

The concurrency model of the ABS language ABS stands for Abstract Behavioral Specification Active objects Futures Cooperative scheduling scheduling points are made syntactically explicit in the code await statements (on boolean expressions or futures) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 2

An ABS example class C() implements CI { Int x = 0; } Unit m(ci o){ await x > 0; /* a sequence of statements which does not contain release points */ Fut<Bool> f = o!n(...); await f?; /* a sequence of statements which does not contain release points */ } Bool n(){...} Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 3

Research Question 1 How to achieve compositional reasoning for ABS concurrent models? Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 4

Disjoint-event semantics for ABS method calls o o o invocation event invocation reaction event completion event completion reaction event completion reaction event Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 5

Disjoint-event semantics for ABS method calls o o o invocev(o, o, fr, m, e) invocrev(o, o, fr, m, e) compev(o, fr, m, e) comprev(o, fr, e) comprev(o, fr, e) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 5

The data structure of histories Sequence is the data structure of histories! For example: H := concat(h, invocev(o, o, fr, m, e)), where H is a history sequence Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 6

Class invariant An invariant of a class C specifies invariant of instances of C. The class invariant serves as a contract between the different processes of the object must hold after initialization after method termination before suspension (on await statement) may assume when method starts after suspension (on await statement) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 7

Class invariant establishes a relationship between the internal state and the observable behavior of the class instances defines the observable behavior in terms of the structure of communication histories ev1 ev2 ev3 Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 8

Network-on-Chips (NoC) packet switching platform R00 R10 R20 R30 R01 R11 R21 R31 R02 R12 R22 R32 R03 R13 R23 R33 Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 9

The Router class class Router(Pos address, Int buffsize) implements RouterI { Ports ports = EmptyMap; Set<Packet> receivedpks = EmptySet; Unit setports(router e, Router w, Router n, Router s){ ports = map[pair(n, P(True, True, n, 0)), Pair(S, P(True, True, s, 0)), Pair(E, P(True, True, e, 0)), Pair(W, P(True, True, w, 0))];} Unit getpk(packet pk, Direction srcport){...} } Unit redirectpk(packet pk, Direction srcport){...} Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 10

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); } inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); invocrev(_, this, fr, redirectpk, (pk, srcp)) } inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); invocrev(_, this, fr, redirectpk, (pk, srcp)) check if input and output channels are available } inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); invocrev(_, this, fr, redirectpk, (pk, srcp)) check if input and output channels are available block input and output channels } Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; invocrev(_, this, fr, redirectpk, (pk, srcp)) check if input and output channels are available block input and output channels invocev(this, _, _, getpk, (pk, dirp)) } decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); } inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); invocrev(_, this, fr, redirectpk, (pk, srcp)) check if input and output channels are available block input and output channels invocev(this, _, _, getpk, (pk, dirp)) release input and output channels Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

The redirectpk method Unit redirectpk(packet pk, Direction srcport){ Direction direc = xfirstrouting(addresspk(pk), address); await (instate(lookup(ports,srcport)) == True) && (outstate(lookup(ports,direc)) == True); inset(lookup(ports, srcport), False)); ports = put(ports, direc, outset(lookup(ports, direc), False)); Router r = rid(lookup(ports, direc)); Fut<Unit> f = r!getpk(pk, opposite(direc)); await f?; invocrev(_, this, fr, redirectpk, (pk, srcp)) check if input and output channels are available block input and output channels invocev(this, _, _, getpk, (pk, dirp)) decreasebuff(lookup(ports, srcport))); inset(lookup(ports, srcport), True)); ports = put(ports, direc, outset(lookup(ports, direc), True)); release input and output channels } compev(this, fr, redirectpk, _) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 11

Event sequences, indices and quantifiers The data structure of histories is sequence The consequences of this choice is the usage of quantifiers and indices Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 12

An invariant of the Router class: lockreleased Every time a router terminates an execution of the redirectpk method, the input and output channels used to redirect the fetched packet are released, and the packet has been redirected to a neighbor router through an invocation of the getpk method. fr. compev(this, fr, redirectpk, _) = at(h, len(h) 1) i 1, i 2, pk, src, dir. 0 < i 1 < i 2 < len(h) 1 (invocrev(_, this, fr, redirectpk, (pk, src)) = at(h, i 1 ) invocev(this, _, _, getpk, (pk, opposite(dir))) = at(h, i 2 )) (instate(lookup(ports, src)) outstate(lookup(ports, dir))) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 13

An invariant of the Router class : packetfetched Every time a router terminates an execution of the getpk method, it must either have sent an internal invocation to redirect the packet or have stored the packet in its receivedpks set. Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 14

Global Safety Properties h: local history H: global history H/o: projection from global history H to object o I this (h): lockreleased packetfetched A global history invariant can be obtained from the class invariants associated with all objects in the system, adding wellformedness of the global history. I(H) wf(h) (r:routerimp) new ob(h) I r (H/r) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 15

Global Safety Properties Every time a router R terminates an execution of the redirectpk method, the pair of input and output channels used to redirect the fetched packet are released, and a neighbor router of R must either have sent an internal invocation to redirect the packet further or have stored the packet in its receivedpks set. Hence, the network does not drop any packets. This implies : no packets are lost Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 16

Tool and publications The theorem prover KeY-ABS can be downloaded here: http://www.envisage-project.eu/?page_id=1558 Publications: C.C. Din and O. Owe, Compositional reasoning about active objects with shared futures. Formal Aspect of Computing. 2015 C.C. Din, R. Bubel and R. Hähnle, KeY-ABS: A Deductive Verification Tool for the Concurrent Modelling Language ABS. CADE. 2015 C.C. Din, S. L. Tapia Tarifa, R. Hähnle and E. B. Johnsen. History-Based Specification and Verification of Scalable Concurrent and Distributed Systems. ICFEM. 2015. To appear. Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 17

Research Question 2 Class invariants should be readable and easy to reason about. Is there a better way to formulate the class invariant without quantifying over the indices of the event sequences? Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 18

Trace-based class invariants Work in progress: Idea 1: use explicit traces instead of finite sequences Idea 2: We need quantifiers for pattern matching but not for indices Definition (The universal type quantifier ω ) The universal type quantifier ω unwinds unbounded iteration. Let Ψ be a formula. ω x. Ψ(x) captures any trace of the form Ψ(x 0 ) Ψ(x 1 )..., where x i range over the current model s domain. Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 19

Trace-based class invariant: lockreleased Every time a router terminates an execution of the redirectpk method, the input and output channels used to redirect the fetched packet are released, and the packet has been redirected to a neighbor router through an invocation of the getpk method. ω fr, pk, src, dir. (... irv(this, _, fr, rpk, (pk, src)) iev(this, _, _, gpk, (pk, dir)) portsreleased cev(this, fr, rpk, _) Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 20

Research Question 3 How to enable pre- and post-condition reasoning across asynchronous calls? Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 21

Disjoint-event semantics for ABS method calls o o o invocation invocation reaction completion completion reaction completion reaction Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 22

Disjoint-event semantics for ABS method calls o o o invocation Time Gap invocation reaction completion completion reaction completion reaction Pre-condition is not anymore guaranteed to hold upon method execution! Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 22

Summary We achieve scalable verification of ABS concurrent models by compositional reasoning about history-based observable behavior The theorem prover KeY-ABS is available for downloaded http://www.envisage-project.eu/?page_id=1558 Ongoing work: Class invariants should be readable and easy to reason about Pre- and post-condition reasoning across asynchronous calls Active Object Workshop, 28.09.2015, Nice, France Crystal Chang Din (TUD) 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback