Presentation is loading. Please wait.

Presentation is loading. Please wait.

Space-Reduction Strategies for Model Checking Dynamic Software

Published byMervyn Jordan Modified over 5 years ago

Similar presentations

Presentation on theme: "Space-Reduction Strategies for Model Checking Dynamic Software"— Presentation transcript:

1 Space-Reduction Strategies for Model Checking Dynamic Software
Robby1 Matthew B. Dwyer1 John Hatcliff1 Radu Iosif2 Support ARO CIP/SW URI award DAAD DARPA/AFRL project AFRL-F C-3044 NSF SEL Program under Award CCR 1 Kansas State University 2 Verimag

2 Bogor (http://bogor.projects.cis.ksu.edu) Summer 2003 Release
An extensible and highly-modular (explicit state) model checking framework [Robby-al FSE’03] rich & extensible modeling language modular design with open API to ease customization Targeted for checking dynamic systems by specializations at several different abstraction levels checking Java programs in the Bandera project ( Symmetry reductions & collapse compression [this talk] PO reductions using dynamic escape analysis and locking discipline [Dwyer-al:TR-1] checking designs of avionic (Boeing) systems in the Cadena project ( Abstraction of CORBA event channel and customized scheduler & search [Hatcliff-al:FMCO’02] Quasi-cyclic search (parallel) [Dwyer-al:EMSOFT’03]

3 Bogor

4 Dynamic Software Dynamic software written in modern programming languages such as Java features automatic memory management for objects allocations and de-allocations concurrency constructs etc. These features introduce more complexity for model checking heap threads

5 Issues in Model Checking Dynamic Software
How to linearize states? How to manage states? < …> heap seen set threads

6 Related Work Symmetry for Scalar Sets [Ip-al’96]
Heap Symmetry [Lerda-al’01, Iosif’01/’02] Thread Symmetry [Bosnacki-al’00/’02] Collapse Compression [Holzmann’97, Lerda-al’01]

7 Contribution Combine the best methods from all the previous (related) work Extend the heuristics for thread symmetry reduction by using threads observables can also be applied for symmetry in abstract data types Efficient collapse compression by considering objects and threads ordering from symmetry reductions

8 Issues in Model Checking Dynamic Software — Linearizing States
How to linearize states? How to manage states? < …> heap threads seen set

9 Linearizing Heap Usually using store-based representation
there are still explicit locations of objects in the memory objects at locations unreachable from the state root node are garbage However locations of objects are irrelevant to most properties (that we are interested) object identities are usually used for equality comparison garbage objects are definitely irrelevant cannot be observed, thus, can’t affect program execution garbages are irrelevant to the properties being checked This object may be located at memory cell 0x34AB4 This object may be located at memory cell 0x34FFF mostly interested only to distinguish objects heap

10 Heap Symmetry [Iosif’01/’02]
Observationally Equivalent Finding a canonical heap representation permuting objects location removing garbage objects Using topological sort on objects canonical for deterministic heap structure heap heap =

11 Linearizing Thread Set
Threads are active objects garbage collected only if they died different states may have different set of threads Similar to object locations the actual thread identifiers/descriptors are irrelevant we still want to be able to distinguish threads

12 Thread Symmetry [Bosnacki-al’00/02]
= Observationally Equivalent Similar to heap symmetry permute thread identities only preserve threads that are still alive However, in contrast to heap structure there are no topology for threads (set) [Bosnacki-al’00/02] proposed a heuristic: sorting threads by their program counters (PC)

13 Dining Philosophers Example
if not taken, get left fork state after phil#1 took its left fork fork#1 fork#3 fork#2 phil#1 phil#2 phil#3 left right if not taken, get right fork 1 put back right fork put back left fork

14 Dining Philosophers Example — PC Thread+Heap Symmetry [Iosif’02]
Thus, they can be ordered (ascending) as follows: phil#2, phil#3, phil#1 phil#3, phil#2, phil#1 phil#1’s PC > phil#2’s PC fork#1 phil#1’s PC > phil#3’s PC left right phil#1 1 phil#3 phil#1’s PC = phil#3’s PC right left fork#3 fork#2 left right phil#2

15 Dining Philosophers Example — PC Thread+Heap Symmetry [Iosif’02]
fork#1 fork#1 left right left right phil#1 1 phil#3 phil#1 1 phil#3 right left right left fork#3 fork#2 fork#3 fork#2 not observationally equivalent! fork#2 is not held, but fork#1 is left right left right phil#2 phil#2 phil#2, phil#3, phil#1 phil#3, phil#2, phil#1 fork#3, fork#2, fork#1 fork#2, fork#1, fork#3

16 k-Bounded Thread Symmetry (k-BOTS)
phil#2 1 phil#1 fork#1 fork#3 left right fork#2 Given two threads, decide ordering by the observables from each thread: stack heights program counters at each stack frame primitive local values at each stack frame recursively compare reachable non-primitive values user can tweak the recursive depth k for trade off between space and time phil#2 is ordered before phil#1 Stack heights are equal, but PCs are not phil#3 phil#2 fork#3 fork#2 left right fork#1 Stack heights and PCs are equal phil#2 is ordered before phil#3 Left forks are equal Right forks are not equal

17 Dining Philosopher Example — k-BOTS+Heap Symmetry
fork#1 fork#3 phil#1 phil#2 left right 1 fork#2 phil#3 Only one ordering Threads ordering phil#2, phil#3, phil#1 Heap objects ordering fork#3, fork#2, fork#1

18 Issues in Model Checking Dynamic Software — Managing States
How to linearize states? How to manage states? < …> heap threads seen set

19 Managing State Storage
Many state bit-vectors contain similar sub-bit-vectors only small number of changes for each transition Thus, this opens an opportunity for compression building dictionary of bit-vector state parts However, it is unclear which state parts we should use for the dictionary < …> similar bit pattern < …>

20 Collapse Compression [Lerda-al’01]
Bit-vector pools for fields data (static and dynamic) monitor data method stack frames other thread information (thread status) We follow a similar categorization, but we take advantage of the orderings generated by the symmetry reductions fork#1 fork#3 phil#1 phil#2 left right 1 fork#2 phil#3

21 Collapse Compression — Dining Philosopher Example
Empty bit-vector since there are no global variables Since this is the first bit-vector, start with 1 fork#3 is not held Structure Bit-vector n Globals <> 1 fork#3 <false> 2 fork#2 fork#1 <true> 3 Heap <Fork,2, Fork,2, Fork,3> 4 p#2 store <1,2> 5 phil#2 <loc0,5> 6 p#3 store <2,3> 7 phil#3 <loc0,7> 8 p#1 store <3,1> 9 phil#1 <loc1,9> 10 Thread Set <6,8,10> 11 State <1,4,11> 12 This is the second bit-vector fork#1 fork#3 phil#1 phil#2 left right 1 fork#2 phil#3 This bit-vector has been seen before fork#2 is not held The heap consists of the sequence of heap object types and heap object ids (n) The object is ordered by the heap symmetry ordering Phil#2’s left fork is the first object in the heap, and its right fork is the second object in the heap Phil#2’s stack frames The state consists of the bit-vector id of the global values, the heap, and the thread set The thread set consists of the bit-vector id of the threads phil#2, phil#3, phil#1 fork#3, fork#2, fork#1

22 Collapse Compression — Dining Philosopher Example
Structure Bit-vector n Globals <> 1 fork#3 <false> 2 fork#2 fork#1 <true> 3 Heap <Fork,2, Fork,2, Fork,3> 4 p#2 store <1,2> 5 phil#2 <loc0,5> 6 p#3 store <2,3> 7 phil#3 <loc0,7> 8 p#1 store <3,1> 9 phil#1 <loc1,9> 10 Thread Set <6,8,10> 11 State <1,4,11> 12 Structure Bit-vector n Globals <> 1 fork#3 <false> 2 fork#2 <true> 3 fork#1 Heap <Fork,2, Fork,3, Fork,3> 13 p#2 store <1,2> 5 phil#2 <loc0,5> 6 p#3 store <3,2> 14 phil#3 <loc0,14> 15 p#1 store <2,3> 7 phil#1 <loc2,7> 16 Thread Set <6,15,16> 17 State <1,13,17> 18 State after Phil#1 took its left fork State after Phil#1 took its left and right forks

23 Preliminary Results (k-BOTS+Collapse)
Dining Philosophers For 10 dining philosophers 4x faster, 25% memory consumption (no compression, no thread symmetry) 2x faster, 36% less memory consumption (collapse compression, PC thread symmetry) Bounded Buffer For small number of threads (3 and 4) 9% less memory and time consumption (collapse compression, PC thread symmetry) Ordered-List For 3 updater threads: 0.02% memory reduction For 4 updater threads: 2.5% memory reduction All examples Collapse compression is faster and it gives more reductions than GZIP compression

24 Applications for Bogor Type Extensions
Bogor allows introductions of new abstract data types (ADTs) as first class construct of the BIR modeling language Many ADTs such as Set or Table have symmetric properties The treatment that we use for threads (k-BOTS) can be used for such ADTs

25 Conclusion and Future Work
We have proposed extensions of two existing framework tunable heuristics for combination of thread and heap symmetry using information from symmetry reductions for collapse compression More empirical study, including symmetry for ADTs Extends the symmetry reductions to handle more state configurations, for example: lock wait set set of sets of …

Download ppt "Space-Reduction Strategies for Model Checking Dynamic Software"

Similar presentations

Chapter 22 Implementing lists: linked implementations.

Chapter 22 Implementing lists: linked implementations.
Singly linked lists Doubly linked lists

Singly linked lists Doubly linked lists
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
CHP-5 LinkedList.

CHP-5 LinkedList.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011.

Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
Elementary Data Types Prof. Alamdeep Singh. Scalar Data Types Scalar data types represent a single object, i.e. only one value can be derived. In general,

Elementary Data Types Prof. Alamdeep Singh. Scalar Data Types Scalar data types represent a single object, i.e. only one value can be derived. In general,
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.

CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
Run time vs. Compile time

Run time vs. Compile time
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:

The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
Elementary Data Types Scalar Data Types Numerical Data Types Other

Elementary Data Types Scalar Data Types Numerical Data Types Other
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.

Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.

Similar presentations

Ads by Google