an extensible and highly-modular model checking framework santos laboratory, kansas state...
TRANSCRIPT
![Page 1: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/1.jpg)
An extensible and highly-modular model checking framework
http://bogor.projects.cis.ksu.eduSAnToS Laboratory, Kansas State University, USA
Matt DwyerJohn Hatcliff
Principal Investigators
SupportARO CIP/SW URI award DAAD190110564DARPA/AFRL project AFRL-F33615-00-C-3044NSF SEL Program under Award CCR-0306607
Students
Robby
![Page 2: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/2.jpg)
Model Checking-based Analyses
Given a finite-state model and property specifications Explores all possible states that are
reachable from the initial state and check the properties
For concurrent programs, explore all possible interleavings of threads
Needs to remember all states that are visited for termination
![Page 3: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/3.jpg)
Model Checking-based Analyses
Rich-class of correctness properties Precise semantic reasoning
Relative to typical static analyses
Pros
Cons
Scalability!
![Page 4: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/4.jpg)
Issues in Model Checking
Desperately need all reduction techniques one can think of Reducing the number of interleavings
that are considered (e.g., slicing, POR) Reducing the number of states that are
explored (e.g., slicing, abstractions, symmetry)
Reducing the number of bits needed to store the states (e.g., compression, collapse)
![Page 5: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/5.jpg)
Issues in Model Checking — Experience with Existing Tools
Significant experience using existing tools hand-crafted models as target of translation
Clever mappings required to express artifact features, e.g., heap data for efficiency, e.g., symmetry reductions
Often times additional state variables were needed to express events in state-based formalisms to state properties over extent of a reference type to implement scheduling policies
![Page 6: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/6.jpg)
Issues in Model Checking
Need complete control on all aspects of a model checker Efficient mapping of software artifact
onto model checking framework To implement the reduction techniques
Rapid prototyping
![Page 7: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/7.jpg)
Issues in Model Checking —Custom Model Checkers Modifying a model checker is daunting
dSpin (Iosif) SMV (Chan)
Building a custom model checker is a point-solution JPF, SLAM, …
Tool-kits don’t yield optimized checkers NuSMV, Concurrency Factory, “The Kit”, …Bogor incorporates the advantages
of each of these approaches
![Page 8: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/8.jpg)
We would like …. Rich core input language for modeling
dynamic and concurrent system Extensible input language
Minimizes syntactic modification when extending
Minimizes effort for customized semantics Highly-capable core checker
State-of-the-art reduction algorithms Customizable checker components
Eases specialization or adaptation to a particular family of software artifacts
Domain-experts with some knowledge of model checking can customize the checker on their own
![Page 9: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/9.jpg)
Rich Input Language
Built on guarded-assignment language Natural to model concurrent system
Features to support dynamic, concurrent software artifacts Dynamic creation of threads and objects Automatic memory management (ala Java) Inheritance, exceptions, (recursive) functions Type-safe function pointers
![Page 10: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/10.jpg)
Extensible Input Language Allow model checker input language to
directly support natural domain abstractions For example, chan in Promela
Hides intricate details of how a communication channel is implemented
Only focuses on the behavior of the channel that is relevant, e.g., synchronous, rendezvous, etc.
Fewer details of states that need to be stored, and possibly less states that needs to be explored
Syntax does not need to change, and new abstractions can be added on demand
![Page 11: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/11.jpg)
Extensible Input Language —Resource Contention Example
Process#1
Process#3
Process#2
Process#4
acquire acquire
acquire acquire
release
release
release
releaseResource Pool
![Page 12: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/12.jpg)
Extensible Input Language —Resource Contention Example
Process#1
Process#3
Process#2
Process#4
acquire acquire
Resource Pool
![Page 13: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/13.jpg)
Extensible Input Language —Resource Contention Example
Process#1
Process#3
Process#2
Process#4
release releaseResource Pool
How do we represent the resource pool if we are checking for example deadlock?
How do we represent the resource pool if we are checking for example deadlock?
How do we encode the representation in the model?
How do we encode the representation in the model?
![Page 14: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/14.jpg)
Extensible Input Language —Set Extension Example (Syntax)
Bogor allows new abstract types and abstract operations as first-class construct
![Page 15: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/15.jpg)
Extensible Input Language —Set Extension Example (Semantics)
public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement;
public void add(IValue v) { set.add(v); }
public byte[][] linearize(..., int bitsPerNPV,ObjectIntTable npvIdMap) {
Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else ... return new byte[][] { bb.toByteArray() }; } ...
Implementing the set value for the set type
Reuse Java collection to implement setReuse Java collection to implement set
Wrapper for add operationWrapper for add operation
Constructs a bit vector that represents the setinstead of encoding the HashSet instance
Constructs a bit vector that represents the setinstead of encoding the HashSet instance
![Page 16: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/16.jpg)
Extensible Input Language —Set Extension Example (Semantics)
R G B
Suppose the references to resources are represented as integers R, G, B
Suppose the references to resources are represented as integers R, G, B
<R,G,B>
The state of the set consists of encodings of the references to resources
The state of the set consists of encodings of the references to resources
<B,G,R>
And ordered!And ordered!
![Page 17: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/17.jpg)
Extensible Input Language — Observable Extension Example
Expression/action extensions can: be non-deterministic have access to all the information in the
current state and all previous states in the DFS stack
Easy to express predicates/functions over dynamic data e.g., non-deterministically choose a
reachable heap instance from a given reference
![Page 18: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/18.jpg)
Extensible Input Language —Observable Extension Example (Syntax)
An invariant example using Bogor function expressions
Function expressions can be recursive
……
![Page 19: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/19.jpg)
Extensible Input Language —Observable Extension Example (Semantics)
public IValue forAll(IExtArguments arg) { String predFunId = .. MySet set = (MySet) arg.getArgument(1); IValue[] els = set.elements(); for (int i = 0; i < els.length; i++) { IValue val = ee.evaluateApply(predFunId, new IValue[] {els[i] }); if (isFalse(val)) return getBooleanValue(false); } return getBooleanValue(true);}
![Page 20: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/20.jpg)
Highly Capable Core Checker
Bogor implements state-of-the-art reduction techniques
State reductions [Robby-al ‘03] Collapse compression (based on Holzmann
‘97) Heap symmetry (based on Iosif ‘02) Thread symmetry (based on Bosnacki ‘02)
Interleaving reductions [Dwyer-al ‘03] Partial order reductions (based on Clarke-al
‘93)
![Page 21: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/21.jpg)
Verified
CounterExample
Lexer
Parser
Type Checking
SemanticAnalyses
IExpEvaluator ITransformer ISearcher
IActionTaker IBacktrackIF IStateMgr
IValueFactory ISchedulingStg IStateFactory
.bir
.config
Customizable Architecture
![Page 22: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/22.jpg)
Assessment
Dynamic Escape Analysis for POR (150 LOC, 20x)
Rich-forms of heap quantification Dynamic atomicity (5 LOC, 5x) Middle-ware model Priority Scheduling (200 LOC, 10x) Relative-time environment (10x) Lazy-time environment (240 LOC, 100x) Quasi-cyclic search (200 LOC, 100x)
![Page 23: An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer](https://reader036.vdocument.in/reader036/viewer/2022070400/56649f145503460f94c29b1d/html5/thumbnails/23.jpg)
Tool Availability (Summer ’03)
http://bogor.projects.cis.ksu.edu