The Bogor Model Checking Framework Emily Gibson November 28, 2006

About Bogor Motivation: Domain-specific model checkers may be more effective (and cheaper) than general purpose model checkers SPIN, NuSMV, etc support fixed input langs, state-space representations, reduction & exploration algs Most existing tools don’t directly support OO lang features Solution: customizable & easily extensible model checking framework

Modularity

Basic Features Java, eclipse plug-in or command line Customized text editor Syntax highlighting Highlights errors in model/properties Modes: Model Checking -- explore all possible paths Random Simulation User-guided Simulation

Features Supports unbounded dynamic thread and heap object creation with automatic garbage collection Canonical heap representation (based on dSpin) so heaps are observationally equivalent Only keep state in BIR vars, semantics can be implemented in Java and kept separate from model Customization can improve space and time requirements by over three orders of magnitude!

BIR: Bogor Input Representation Primitive types double, int, bool, enum thread IDs, others -- extensible Default values like spin No coercion -- need explicit casts Non-primitive types record, array, string, lock, extensions Type Aliases -- compact names for types Fun[ction] types -- like SML

BIR Cont’d Scope: functions and threads have own namespace, but can’t hide with global declarations Locations: control pts in threads Annotated with live vars (if empty, bogor calcs; vars not in set reset to default vals) Jump and Catch statements Actions: assign, assert, assume, lock, throw, exit

BIR: High or Low Level Syntax? Used for automatic model extraction Interleavings only happen between locations (atomic by default) Basic syntax: loc[ation], live, do, when, visible, goto, catch, return High level Used for manual model construction Includes high-level programming constructs: atomic, while, if, elseif, else, try, catch, skip, return, choose Converted to low-level during model checking

Example: Choose syntax High-level system ChooseExample { int i := 0; active[3] thread MAIN() { atomic choose when <i < 1> do i := i + 1; when <i < 2> do i := i + 2; else do i := i + 3; end }

Translated to Low-level system ChooseExample { int i := 0; active [3] thread MAIN() { boolean temp$0; boolean temp$1; boolean temp$2; ANY_THROWABLE atomicCatch$Local; loc loc0: do { Atomic.beginAtomic(); } goto loc1; loc loc1: do invisible { temp$0 := i < 1; temp$1 := i < 2; temp$2 := !((temp$0 || temp$1)); } goto loc2; loc loc2: when temp$0 do invisible { } goto loc3; when temp$1 do invisible { } goto loc5; when temp$2 do invisible { } goto loc7; loc loc3: do { i := i + 1; } goto loc4; loc loc4: do { } goto loc9; loc loc5: do { i := i + 2; } goto loc6; loc loc6: do { } goto loc9; loc loc7: do { i := i + 3; } goto loc8; loc loc8: do { } goto loc9; loc loc9: do { Atomic.endAtomic(); } goto loc10; loc loc10: do { } return; loc atomicCatch: do { Atomic.endAtomic(); throw atomicCatch$Local; } goto atomicCatch; catch ANY_THROWABLE atomicCatch$Local at loc1, loc2, loc3, loc4, loc5, loc6, loc7, loc8 goto atomicCatch; } extension Atomic for edu.ksu.cis.bogor.projects.bogor.ext.atomicity.AtomicModule { actiondef beginAtomic (); actiondef endAtomic (); throwable record ANY_THROWABLE {} Translated to Low-level

Advanced Features The default distribution does not include the optimizations described in various publications --- it’s supposed to be “easily understood”. Features not included: symmetry reduction collapse compression partial order reduction Are available as separate extension modules through subversion: https://robby.user.cis.ksu.edu/bogor

References Bogor web site: http://bogor.projects.cis.ksu.edu/ Robby, Matthew Dwyer, John Hatcliff. “Bogor: A Flexible Framework for Creating Software Model Checkers.” In Proceedings of Testing: Academic & Industrial Conference - Practice And Research Techniques, June 2006. Matthew B. Dwyer, John Hatcliff, Matthew Hoosier, Robby. “Building Your Own Software Model Checker Using the Bogor Extensible Model Checking Framework.” In Proceedings of Computer-Aided Verification, January 2005.

Demo… Dining Philosophers

Note to self… Select the configuration! (Highlight when model checking)