Bogor An extensible and highly-modular model checking framework

Similar documents
Bogor: An Extensible and Highly-Modular Software Model Checking Framework

A Flexible Framework for the Estimation of Coverage Metrics in Explicit State Software Model Checking

Supporting Model Checking Education using BOGOR/Eclipse

Bandera: Extracting Finite-state Models from Java Source Code

Software Model Checking. From Programs to Kripke Structures

Copyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology

Java PathFinder JPF 2 Second Generation of Java Model Checker

Source Code Formal Verification. Riccardo Sisto, Politecnico di Torino

Part II: Atomicity for Software Model Checking. Analysis of concurrent programs is difficult (1) Transaction. The theory of movers (Lipton 75)

The SPIN Model Checker

Agenda. CSE P 501 Compilers. Java Implementation Overview. JVM Architecture. JVM Runtime Data Areas (1) JVM Data Types. CSE P 501 Su04 T-1

Spin: Overview of PROMELA

Computing Approximate Happens-Before Order with Static and Dynamic Analysis

Representation Independence, Confinement and Access Control

Java Pathfinder. State of Affairs. Pavel Parizek. School of Computer Science, University of Waterloo

Computation Abstractions. Processes vs. Threads. So, What Is a Thread? CMSC 433 Programming Language Technologies and Paradigms Spring 2007

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Applications of Formal Verification

Software Engineering using Formal Methods

Formal Specification and Verification

Representation Independence, Confinement and Access Control

Thread Safety. Review. Today o Confinement o Threadsafe datatypes Required reading. Concurrency Wrapper Collections

Question 1. Notes on the Exam. Today. Comp 104: Operating Systems Concepts 11/05/2015. Revision Lectures

Hybrid Analysis for Partial Order Reduction of Programs with Arrays

Software Engineering using Formal Methods

Compiler Construction

Specification and Generation of Environment for Model Checking of Software Components *

CSE P 501 Compilers. Java Implementation JVMs, JITs &c Hal Perkins Winter /11/ Hal Perkins & UW CSE V-1

The Spin Model Checker : Part I/II

Spin: Overview of PROMELA

Operational Semantics of Cool

Concepts of Object-Oriented Programming Peter Müller

CS 5523 Operating Systems: Midterm II - reivew Instructor: Dr. Tongping Liu Department Computer Science The University of Texas at San Antonio

Notes on the Exam. Question 1. Today. Comp 104:Operating Systems Concepts 11/05/2015. Revision Lectures (separate questions and answers)

Compiler Construction

Analyzing Interaction Orderings with Model Checking

Applications of Formal Verification

CMSC 330: Organization of Programming Languages

Applications of Formal Verification

Comp 204: Computer Systems and Their Implementation. Lecture 25a: Revision Lectures (separate questions and answers)

Concepts of Object-Oriented Programming Peter Müller

Overview. CMSC 330: Organization of Programming Languages. Concurrency. Multiprocessors. Processes vs. Threads. Computation Abstractions

Static Program Analysis

Software Model Checking: Theory and Practice

Programming Languages Lecture 15: Recursive Types & Subtyping

Using Java Pathfinder to Reason about Agent Systems

Semantic Analysis and Type Checking

Model Checking with Abstract State Matching

Promela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN

Verifying Concurrent Programs

Mechanized Operational Semantics

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

Software Model Checking. Xiangyu Zhang

More on Verification and Model Checking

Sharing Objects. Java and Android Concurrency.

The Abstract Behavioral Specification Language

Combining Complementary Formal Verification Strategies to Improve Performance and Accuracy

R13 SET Discuss how producer-consumer problem and Dining philosopher s problem are solved using concurrency in ADA.

Operational Semantics. One-Slide Summary. Lecture Outline

Project 5 Due 11:59:59pm Wed, Nov 25, 2015 (no late submissions)

Generating Code from Event-B Using an Intermediate Specification Notation

Multithreaded Programming Part II. CSE 219 Stony Brook University, Department of Computer Science

Thread-Local. Lecture 27: Concurrency 3. Dealing with the Rest. Immutable. Whenever possible, don t share resources

Non-blocking Array-based Algorithms for Stacks and Queues. Niloufar Shafiei

5/23/2015. Core Java Syllabus. VikRam ShaRma

Verification of Java programs using networks of finite automata with discrete data.

SPIN: Part /614 Bug Catching: Automated Program Verification. Sagar Chaki November 12, Carnegie Mellon University

Semantic Analysis. CSE 307 Principles of Programming Languages Stony Brook University

Program verification. Generalities about software Verification Model Checking. September 20, 2016

From IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich

Experience with Processes and Monitors in Mesa. Arvind Krishnamurthy

1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.

Tool demonstration: Spin

Outline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context

Threads Questions Important Questions

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Dealing with Issues for Interprocess Communication

Dynamic Software Model Checking

Concurrent processes. Processes and Threads. Processes and threads. Going back to Concurrency. Modelling Processes. Modeling processes

AC59/AT59/AC110/AT110 OPERATING SYSTEMS & SYSTEMS SOFTWARE DEC 2015

THREADS & CONCURRENCY

Runtime Checking for Program Verification Systems

Written Presentation: JoCaml, a Language for Concurrent Distributed and Mobile Programming

G Programming Languages - Fall 2012

INF 212 ANALYSIS OF PROG. LANGS CONCURRENCY. Instructors: Crista Lopes Copyright Instructors.

22c:181 / 55:181 Formal Methods in Software Engineering

The Java Memory Model

Agenda. Highlight issues with multi threaded programming Introduce thread synchronization primitives Introduce thread safe collections

Introduction to Locks. Intrinsic Locks

Hard Real-Time Garbage Collection in Java Virtual Machines

The Problem with Threads

CS558 Programming Languages

Concurrency, Thread. Dongkun Shin, SKKU

CSE450. Translation of Programming Languages. Lecture 11: Semantic Analysis: Types & Type Checking

Test 1 Summer 2014 Multiple Choice. Write your answer to the LEFT of each problem. 5 points each 1. Preprocessor macros are associated with: A. C B.

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

CMSC421: Principles of Operating Systems

Symbolic PathFinder, Pex, RoadRunner

First Steps to Automated Driver Verification via Model Checking

Transcription:

Bogor An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA http://bogor.projects.cis.ksu.edu Principal Investigators Matt Dwyer John Hatcliff Students Robby Support US Army Research Office (ARO) NSF CCR-SEL

Model Checking-based Analyses Pros Rich-class of correctness properties Precise semantic reasoning Cons Relative to typical static analyses Scalability Mapping software artifact onto model checking framework

Checking Behavioral Software Models Requirements Chan, Atlee, Heitmeyer, Chechik, Heimdahl Architectural Garlan, Magee & Kramer, Design State-machines, HERMES, Cadena, Implementation JPF, Bandera, SLAM, MAGIC, BLAST,

Experience with Existing Tools Significant experience using existing tools hand-crafted models as target of translation Clever mappings required to express artifact features, e.g., heap data for efficiency, e.g., symmetry reductions Often times additional state variables were needed to express events in state-based formalisms to state properties over extent of a reference type to implement scheduling policies

Custom Model Checkers Modifying a model checker is daunting dspin (Iosif) SMV (Chan) Building a custom model checker is a point-solution JPF, SLAM, Tool-kits don t yield optimized checkers NuSMV, Concurrency Factory, The Kit, Bogor incorporates the advantages of each of these approaches

We would like. Rich core input language for modeling dynamic and concurrent system Extensible input language Minimizes syntactic modification when extending Minimizes effort for customized semantics Highly-capable core checker State-of-the-art reduction algorithms Customizable checker components Eases specialization or adaptation to a particular family of software artifacts Domain-experts with some knowledge of model checking can customize the checker on their own

Rich Input Language Built on guarded-assignment language Natural to model concurrent system Features to support dynamic, concurrent software artifacts Dynamic creation of threads and objects Automatic memory management (ala Java) Inheritance, exceptions, (recursive) functions Type-safe function pointers

Extensible Input Language Allow model checker input language to directly support natural domain abstractions For example, chan in Promela Hides intricate details of how a communication channel is implemented Only focuses on the behavior of the channel that is relevant, e.g., synchronous, rendezvous, etc. Fewer details of states that need to be stored, and possibly less states that needs to be explored Syntax does not need to change, and new abstractions can be added on demand

Extensible Input Language Resource Contention Example Process#1 acquire acquire Process#2 release release release Resource Pool release Process#3 acquire acquire Process#4

Extensible Input Language Resource Contention Example Process#1 Process#2 Resource Pool Process#3 acquire acquire Process#4

Extensible Input Language Resource Contention Example Process#1 Process#2 How How do do we we represent represent the the resource resource pool pool if if we we are are checking checking for for example example deadlock? deadlock? Process#3 release Resource Pool release How How do do we we encode encode the the representation representation in in the the model? model? Process#4

Extensible Input Language Set Extension Example (Syntax) Bogor allows new abstract types and abstract operations as first-class construct

Extensible Input Language Set Extension Example (Semantics) Implementing the set value for the set type public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isnonprimitiveelement; Constructs a bit bit vector vector that that represents the the set set instead instead of of encoding the the HashSet instance Reuse Reuse Java Java collection to to implement set set public void add(ivalue v) { set.add(v); } public byte[][] linearize(..., int bitspernpv, ObjectIntTable npvidmap) { Object[] elements = set.toarray(); BitBuffer bb = new BitBuffer(); if (isnonprimitiveelement) { int[] elementids = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementids[i] = npvidmap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementids[i], bitspernpv); } else... return new byte[][] { bb.tobytearray() }; }... Wrapper for for add add operation

Extensible Input Language Set Extension Example (Semantics) R G B The The state state of of the the set set consists of of encodings of of the the references to to resources And And ordered! <R,G,B> <B,G,R> Suppose the the references to to resources are are represented as as integers R, R, G, G, B

Extensible Input Language Observable Extension Example Expression/action extensions can: be non-deterministic have access to all the information in the current state and all previous states in the DFS stack Easy to express predicates/functions over dynamic data e.g., non-deterministically choose a reachable heap instance from a given reference

Extensible Input Language Observable Extension Example (Syntax) An invariant example using Bogor function expressions Function expressions can be recursive

Extensible Input Language Observable Extension Example (Semantics) public IValue forall(iextarguments arg) { String predfunid =.. MySet set = (MySet) arg.getargument(1); IValue[] els = set.elements(); for (int i = 0; i < els.length; i++) { IValue val = ee.evaluateapply(predfunid, new IValue[] {els[i] }); if (isfalse(val)) return getbooleanvalue(false); } return getbooleanvalue(true); }

Highly Capable Core Checker Bogor implements state-of-the-art reduction techniques Collapse compression [Holzmann 97] Heap symmetry [Iosif 02] Thread symmetry [Bosnacki 02] Partial-order reduction [Dwyer-al 03]

Customizable Architecture.bir Lexer Parser IActionTaker IBacktrackIF IStateMgr Verified IExpEvaluator ITransformer ISearcher.config Type Checking Semantic Analyses IValueFactory ISchedulingStg IStateFactory Counter Example

Assessment Dynamic Escape Analysis for POR (150 LOC, 20x) Rich-forms of heap quantification Dynamic atomicity (5 LOC, 5x) Middle-ware model Priority Scheduling (200 LOC, 10x) Relative-time environment (10x) Lazy-time environment (240 LOC, 100x) Frame-bounded safety properties Quasi-cyclic search (200 LOC, 100x)

Tool Availability (Summer 03) http://bogor.projects.cis.ksu.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback