Presentation is loading. Please wait.

Presentation is loading. Please wait.

Arindam Chakrabarti Luca de Alfaro Thomas A Henzinger Marcin Jurdziñski Freddy Y C Mang UC Berkeley Interface Compatibility Checking for Software Modules.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Arindam Chakrabarti Luca de Alfaro Thomas A Henzinger Marcin Jurdziñski Freddy Y C Mang UC Berkeley Interface Compatibility Checking for Software Modules."— Presentation transcript:

1 Arindam Chakrabarti Luca de Alfaro Thomas A Henzinger Marcin Jurdziñski Freddy Y C Mang UC Berkeley Interface Compatibility Checking for Software Modules

2 6/22/2015Open Source Quality Retreat 20022 Outline Motivation Example to show the method The method in detail Implementation issues Current and future work

3 6/22/2015Open Source Quality Retreat 20023 Motivation Find more errors at compile time Focus: incorrect call order What is a module ?

4 6/22/2015Open Source Quality Retreat 20024 Example Brief description of TinyOS, an operating system for ad-hoc networked sensors The error in TinyOS How it can be detected

5 6/22/2015Open Source Quality Retreat 20025 TinyOS [Culler et. al.] RFM Radio byte Radio Packet UART Serial Packet ADC Tempphoto Active Messages clocks bit byte packet Route map routersensor appln application HW SW

6 6/22/2015Open Source Quality Retreat 20026 Rx, Tx, LowPow events commands RFM RFM RFMPwr0 RFMPwr1 RxMode Interrupt RFMInit TxMode TxBit RxBitEvent TxBitEvent

7 6/22/2015Open Source Quality Retreat 20027 Rx, Tx, LowPow commands events RadioByte Radio Byte RFMInit RFMPwr0 RFMPwr1 RxMode TXMode TxBitRxBitEvent TxBitEvent RBInit TxBytes RBPwr0 RBPwr1 TxByteRdy RxByteRdy TxDone

8 6/22/2015Open Source Quality Retreat 20028 The Error RFM RadioByte … LowPow RBPwr0 RFMPwr0

9 6/22/2015Open Source Quality Retreat 20029 The Error RFM RadioByte … LowPow RBPwr0 RFMPwr0

10 6/22/2015Open Source Quality Retreat 200210 The Error RFM RadioByte … LowPow RFMPwr0 RBPwr0 RBPwr1 RxMode not available at LowPow !!! RxMode

11 6/22/2015Open Source Quality Retreat 200211 The Error RBPower1 fails to call RFMPower1 before calling RxMode Makes RBPower1 unavailable at all states Once RB is powered down, it can never be powered up again

12 6/22/2015Open Source Quality Retreat 200212 What’s the talk about ? We can find this at compile-time ! We can work with open systems ! We take the optimistic approach ! Here’s how !

13 6/22/2015Open Source Quality Retreat 200213 Enter Interfaces Verify that module interfaces are compatible Verify that the interface matches the implementation Module interface = a behavioral type for the module

14 6/22/2015Open Source Quality Retreat 200214 interface Abstract data, Local Methods, External Methods, Call assumptions, Abstract local method bodies, Availability constraints Data, method implementations module The Model Methods implemented in this module Methods implemented by the environment Local methods not called transitively Interface states in which a local method is available

15 6/22/2015Open Source Quality Retreat 200215 Example Var: State:{Rx, Tx, LwPw} Local: interrupt notcall{interrupt} available at{Rx,Tx} { if(state == Rx) RxBitEv; else if(state == Tx) choose(*){;} {TxBitEv;} return; } …

16 6/22/2015Open Source Quality Retreat 200216 The Method Consider a pushdown automaton The control states consist of (interface state,program counter) pairs. … if(state == Rx) RxBitEv; else if(state == Tx) … 100 (Rx, 100) (Tx, 100) (LowPow,100)

17 6/22/2015Open Source Quality Retreat 200217 Assignment or choice statements are translated to skip rules. … State := Rx; … L1 (Tx,L1) (Rx,L2) (Tx,L1)(Rx,L2) skip L2

18 6/22/2015Open Source Quality Retreat 200218 Method calls translate to push rules. … RxBitEv; … RxBitEv{…} L1 L2 … (*,L1)(*,L3) Push L2 L3

19 6/22/2015Open Source Quality Retreat 200219 Return statements correspond to pop rules. … return; … L1 L* … (*,L1)(*,L*) Pop L*

20 6/22/2015Open Source Quality Retreat 200220 The Game Environment gets control when an external method is called. Interface tries to violate availability constraints, the environment tries to prevent it.

21 6/22/2015Open Source Quality Retreat 200221 Interface consistency Error state: where availability constraint is violated Consistency criterion: Environment has a strategy to never enter an error state Reachability game on PDA configuration graph (LowPow,Loc(RxMode))

22 6/22/2015Open Source Quality Retreat 200222 For every local method we play a game, starting from appropriate PDA control states. A local method is usable at only those states it is available at, from where the environment is also able to avoid losing.

23 6/22/2015Open Source Quality Retreat 200223 Implementation Issues Good news: Pushdown reachability games can be solved. Walukiewicz gave a translation from (infinite state) parity pushdown games to finite state parity games. Bad news: The problem is DEXPTIME-Complete.

24 6/22/2015Open Source Quality Retreat 200224 Walukiewicz’s approach For every PDA control state q 2 Q, every stack symbol  2 , and every subset s 2 2 Q, make a state (q, ,s) in the finite game This state represents the (finite) information that starting from PDA control state q with  on top of stack, player 1 has a strategy to reach some state q’ 2 s, or pop  off the stack, without ever letting player 2 force him into an error state

25 6/22/2015Open Source Quality Retreat 200225 Edges are put in corresponding to edges in the pushdown configuration graph Correspondence of memoryless winning strategies

26 6/22/2015Open Source Quality Retreat 200226 Our optimization for pushdown reachability games We do not need to explicitly construct exponentially bigger game Sets of states represented and manipulated symbolically Fixed point computation converges relatively fast

27 6/22/2015Open Source Quality Retreat 200227 The Symbolic Approach For every PDA control state q 2 Q, and every stack symbol  2 , we keep track of SETS(q,  ): the set of sets of PDA control states that the environment has a strategy to reach, starting in state q with  on top of stack

28 6/22/2015Open Source Quality Retreat 200228 If ;, the empty set of PDA control states, is in SETS(q,  ) it means that player 1 can force the stack to be emptied, starting from q with  on stack.

29 6/22/2015Open Source Quality Retreat 200229 If q is a state where method m is available, and  is the return address for method m, then ; 2 SETS(q,  ) means that the invocation of m in state q (resulting in a possibly recursive sequence of method calls) will be error-free

30 6/22/2015Open Source Quality Retreat 200230 Symbolic Solver B skip A SETS(A,  ) = SETS(A,  ) [ SETS(B,  ) If player 1 has a strategy to reach set S from B then he can use it to find a strategy to reach S from A.

31 6/22/2015Open Source Quality Retreat 200231 In the following case player 1 has a strategy to reach any superset of {B} from A. B pop A SETS(A,  ) = SETS(A,  ) [ {B}

32 6/22/2015Open Source Quality Retreat 200232 B push,  ’ A If there exists a set U of game states which player 1 has a strategy to reach from A by popping  ’ from stack, and for each u 2 U, player 1 has a strategy to reach S, then player 1 has a strategy to reach S from A.

33 6/22/2015Open Source Quality Retreat 200233 SETS(A,  ) = SETS(A,  ) [ 9 z 1,z 2, …,z n.(SETS(B,  ’)[z i /x i ] Æ Æ i=1 n (z i ) ) SETS(i,  ))) Similar rules for player 2; 8 ( Æ ) composition of rules instead of 9 ( Ç ) Observation: Push, pop and skip rules do not have the same cost

34 6/22/2015Open Source Quality Retreat 200234 … Prog RxMode available at{Rx,Tx} { RFMstate := Rx; return; } … Prog RBPower1 available at{LowPow} { RxMode; RBstate := Rx; return; } … RFM … RadioByte Should have called RFMPower1 here first !

35 6/22/2015Open Source Quality Retreat 200235 Observation: Code Correction Introduce an environment move between every two interface moves. The right thing to do can be automatically found from the winning environment strategy.

36 6/22/2015Open Source Quality Retreat 200236 Results Module implementation: 460 LOC, 8 variables (1 byte each) Module interface: <50 LOC, 2 variables (3-value domain)

37 6/22/2015Open Source Quality Retreat 200237 Implementation Status Symbolic solver implemented in Java. Composition of two TinyOS interfaces gives a game with 117 control states and 5 stack symbols. Game state space: 117*5*2 117 Solution takes 30 CPU minutes on 256MB RAM 200 MHz dual CPU Sun workstation

38 6/22/2015Open Source Quality Retreat 200238 Current and Future Work Type qualifiers and interfaces Faster solution of pushdown games Semi-automatic extraction of interfaces

Download ppt "Arindam Chakrabarti Luca de Alfaro Thomas A Henzinger Marcin Jurdziñski Freddy Y C Mang UC Berkeley Interface Compatibility Checking for Software Modules."

Similar presentations

How to use TinyOS Jason Hill Rob Szewczyk Alec Woo David Culler An event based execution environment for Networked Sensors.

How to use TinyOS Jason Hill Rob Szewczyk Alec Woo David Culler An event based execution environment for Networked Sensors.
Optional Static Typing Guido van Rossum (with Paul Prescod, Greg Stein, and the types-SIG)

Optional Static Typing Guido van Rossum (with Paul Prescod, Greg Stein, and the types-SIG)
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
System Integration and Performance

System Integration and Performance
Winning concurrent reachability games requires doubly-exponential patience Michal Koucký IM AS CR, Prague Kristoffer Arnsfelt Hansen, Peter Bro Miltersen.

Winning concurrent reachability games requires doubly-exponential patience Michal Koucký IM AS CR, Prague Kristoffer Arnsfelt Hansen, Peter Bro Miltersen.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Timed Automata.

Timed Automata.
Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.
Interface-based design Philippe Giabbanelli CMPT 894 – Spring 2008.

Interface-based design Philippe Giabbanelli CMPT 894 – Spring 2008.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
© Janice Regan, CMPT 102, Sept. 2006 0 CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.
TOSSIM A simulator for TinyOS Presented at SenSys 2003 Presented by : Bhavana Presented by : Bhavana 16 th March, 2005.

TOSSIM A simulator for TinyOS Presented at SenSys 2003 Presented by : Bhavana Presented by : Bhavana 16 th March, 2005.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.

API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.

Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.
Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 5. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Introduction to Perfect Hashing Schemes

Introduction to Perfect Hashing Schemes
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.

Similar presentations

Ads by Google