Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem.

Slides:



Advertisements
Similar presentations
Abstraction of Source Code (from Bandera lectures and talks)
Advertisements

Symbolic Execution with Mixed Concrete-Symbolic Solving
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Technology of Test Case Generation Levi Lúcio University of Geneva Marko Samer Vienna University of Technology.
Parallel Symbolic Execution for Structural Test Generation Matt Staats Corina Pasareanu ISSTA 2010.
Model Counting >= Symbolic Execution Willem Visser Stellenbosch University Joint work with Matt Dwyer (UNL, USA) Jaco Geldenhuys (SU, RSA) Corina Pasareanu.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Demonstration Of SPIN By Mitra Purandare
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Software Model Checking
Synergy: A New Algorithm for Property Checking
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center.
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu, October, 2001 Thesis Committee: Matthew Dwyer, Major Advisor David.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
Grand Challenge Problem: Model Check Concurrent Software Edmund M. Clarke Department of Computer Science Carnegie Mellon University.
Verifying Concurrent Message- Passing C Programs with Recursive Calls Sagar Chaki, Edmund Clarke, Nicholas Kidd, Thomas Reps, and Tayssir Touili.
DART: Directed Automated Random Testing Koushik Sen University of Illinois Urbana-Champaign Joint work with Patrice Godefroid and Nils Klarlund.
Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)
1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
CS527 Topics in Software Engineering (Software Testing and Analysis) Darko Marinov September 9, 2010.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
1 Bisimulations as a Technique for State Space Reductions.
Java PathFinder (JPF) cs498dm Software Testing January 19, 2012.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Bogor-Simulation: Executing (Simulating) Concurrent Systems in Bogor Copyright.
Model construction and verification for dynamic programming languages Radu Iosif
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
A Framework on Synchronization Verification in System-Level Design Thanyapat Sakunkonchak Satoshi Komatsu Masahiro Fujita Fujita Laboratory University.
Model Checking Java Programs using Structural Heuristics
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Bandera: Extracting Finite-state Models from Java Source Code. Paper By: James C. Corbett, Mathew Dwyer, John Hatcliff, Shawn Laubach, Corina Pasareanu,
jFuzz – Java based Whitebox Fuzzing
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
1 Software Model Checking Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh, Corina Pasareanu, Charles Pecheur, John Penix, Willem.
1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Concrete Model Checking with Abstract Matching and Refinement Corina Păsăreanu QSS, NASA Ames Research Center Radek Pelánek Masaryk University, Brno, Czech.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Tool-supported Program Abstraction for Finite-state Verification Matthew Dwyer 1, John Hatcliff 1, Corina Pasareanu 1, Robby 1, Roby Joehanes 1, Shawn.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John.
Chair of Software Engineering Software Verification Lecture 12: Software Model Checking Carlo A. Furia.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
24 September 2002© Willem Visser Program Model Checking Enabling Technology Abstraction void add(Object o) { buffer[head] = o; head = (head+1)%size;
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Model Checking Java Programs (Java PathFinder)
Abstraction of Source Code
Abstraction Data type based abstractions
Software Model Checking
Over-Approximating Boolean Programs with Unbounded Thread Creation
Willem Visser Corina Pasareanu and Radek Pelanek
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Automatic Test Generation SymCrete
Symbolic Execution and Test-input Generation
Abstraction, Verification & Refinement
The Zoo of Software Security Techniques
Presentation transcript:

Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem Visser (NASA Ames Research Center)

Introduction Abstractions in Software Verification: –used to reduce the data/control domains of a program –described as abstract interpretation –over-approximation –preserve true results –abstract counter-examples may be infeasible

{NEG,ZERO,POS} Example of Infeasible Counter-example [1]: [2]: [ 1] if ( > 0) then [2] assert(true); else [3] assert(false); Signs: n neg 0 -> zero n > 0 -> pos Infeasible counter-example [1]: [2]: [3]: X [1] if(Signs.gt(Signs.add(NEG,POS),ZERO)) then [2] assert(true); else [3] assert(false);

Problem Finding the abstract counter-examples that represent real program defects Previous work: –after model checking; analyze the counter-example to see if it is feasible –pre-image computations (InVest) –symbolic execution (SLAM) –forward simulation (CMU)

Our Solutions Choice-bounded State Space Search –“on-the-fly”, during model checking Abstract Counter-example Guided Concrete Simulation Exploit implementations of abstractions for Java programs Effective in practice

Abstractions for Java Programs Program Abstraction –over-approximation –using “internal” non-determinism Property Abstraction –under-approximation Scheduler Abstraction –Java: weak specification of scheduler –threads are assigned priorities “All threads with top priority will eventually run”

Abstract Interpretation abstraction Signs abstracts int TOKENS = { neg, zero, pos }; abstraction mapping: n {neg}; n == 0 -> {zero}; n > 0 -> {pos}; public class Signs { public static final int NEG = 0; public static final int ZERO = 1; public static final int POS = 2; public static int abs(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; } public static int add(int a, int b){ int r; Verify.beginAtomic(); if (a==NEG && b==NEG) r=NEG; if (a==NEG && b==ZERO) r=NEG; if (a==ZERO && b==NEG) r=NEG; if (a==ZERO && b==ZERO) r=ZERO; if (a==ZERO && b==POS) r=POS; if (a==POS && b==ZERO) r=POS; if (a==POS && b==POS) r=POS; else r=Verify.choose(2); Verify.endAtomic(); return r; }} neg{zero,pos,neg}neg {zero,pos,neg}pos negposzero negposzero + abs

Choose-free state space search Theorem [Saidi:SAS’00] Every path in the abstracted program where all assignments are deterministic is a path in the concrete program. Bias the model-checker –to look only at paths that do not refer to instructions that introduce non-determinism Model checker modified –to detect non-deterministic choice (i.e. calls to Verify.choose()); backtrack from those points

Choice-bounded Search choose(2) X X Detectable Violation Undetectable Violation State space searched

Counter-example guided simulation Use abstract counter-example to guide simulation of concrete program Why it works: –Correspondence between concrete and abstracted program –Unique initial concrete state (Java defines default initial values for all data)

Nondeterminism! Java Program: class App{ public static void main(…) { [1] new AThread().start(); … [2] int i=0; [3] while(i<2) { … [4] assert(!Global.done); [5] i++; }}} class Athread extends Thread { public void run() { … [6] Global.done=true; }} Example of Abstracted Code Choose-free counter-example: i=zero Abstracted Program: class App{ public static void main(…) { [1] new AThread().start(); … [2] int i=Signs.ZERO; [3] while(Signs.lt(i,signs.POS)){ … [4] assert(!Global.done); [5] i=Signs.add(i,Signs.POS); }}} class Athread extends Thread { public void run() { … [6] Global.done=true; }}

Example of Abstracted Code Abstract counter-example: Mismatch i=zero i=0 i=zero i=0 i=zero i=0 i=pos i=1 i=pos i=1 i=pos i=1 i=pos i=2 i=pos i=2 Java Program: class App{ public static void main(…) { [1] new AThread().start(); … [2] int i=0; [3] while(i<2) { … [4] assert(!Global.done); [5] i++; }}} class Athread extends Thread { public void run() { … [6] Global.done=true; }} Abstracted Program: class App{ public static void main(…) { [1] new AThread().start(); … [2] int i=Signs.ZERO; [3] while(Signs.lt(i,signs.POS)){ … [4] assert(!Global.done); [5] i=Signs.add(i,Signs.POS); }}} class Athread extends Thread { public void run() { … [6] Global.done=true; }}

Hybrid Approach Choose-free Model Check Abstraction Program & Property Model Check Abstract Program & Property Property true! Property false! (counter-example) Guided Simulation Abstract counter-example Refine selections Mismatch

Implementation Java PathFinder (JPF): –model checker for Java programs –built on top of a custom made Java Virtual Machine –checks for deadlock and violations of assertions –predicate abstraction Bandera’s data abstraction

Program Lines of # Threads Abstraction Size of default Size of choose-free code counter-example counter-example Remote Agent55 3 Signs 74 steps 40 steps Experiment Even-Odd 128 steps --- Pipeline Signs 168 steps 69 steps Readers-Writers Signs 176 steps 76 steps DEOS scheduler Signs 471 steps 312 steps Experience with Java Programs

Ongoing Work Add “choose-free search” to Bandera SPIN models Programs with inputs –“external” non-determinism(e.g. DEOS) Driving abstraction selection from infeasible counter-examples Empirical comparisons with other existing approaches CTL model checking

Conclusions Two approaches for finding defects in abstracted programs Fast: –choose-free search is depth-bounded –cost of simulation depends on the length of the counter-example Complementary to other techniques

Spurious Counter-example Introduced by Property Abstraction Java Program:... [1] x=1; [2] y=x+1; [3] assert(x<y); Abstracted Program:... [1] x=Signs.POS; [2] y=Signs.add(x,Signs.POS); [3] assert((x==Signs.NEG && y==Signs.ZERO) ||(x==Signs.NEG && y==Signs.POS) ||(x==Signs.ZERO && y==Signs.POS));

Hybrid Approach Run abstract model check If counter-example –run choice-free search If no counter-example –run “stronger” approach Can use different tools for different jobs, e.g., SPIN->JPF->SMV

Experience Defective Java Applications: Pipeline, Readers-Writers, RAX, DEOS (avionics software) Choose-free model checking: –choose-free counter-examples are common –fast (since it is a depth bounded search) –short counter-examples –enables more aggressive abstractions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.