Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bandera Tool Set Presented by: Dor Nir. Outline Specification Language (LTL) Software verification problems Introduction to Bandera tool Set Bandera Specification.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Bandera Tool Set Presented by: Dor Nir. Outline Specification Language (LTL) Software verification problems Introduction to Bandera tool Set Bandera Specification."— Presentation transcript:

1 Bandera Tool Set Presented by: Dor Nir

2 Outline Specification Language (LTL) Software verification problems Introduction to Bandera tool Set Bandera Specification Language (BSL) Data Type Abstraction Slicing Results and conclusions

3 The Vision Automatic Verifier Source Code Requirements Program Approved Counter example Use case Formal System Specification

4 Specification Languages Linear Temporal Logic (LTL) Computation Tree Logic (CTL, CTL*) Excplicit Clock Temporal Logic (XCTL) Temporal Logic of Actions (TLA, TLA+) Interval Temporal Logic (ITL)

5 Propositional Linear Temporal Logic O(p) – next p – always ◊p – eventually pUq – Until pWq – pUq V ٱ p P PPPP P PPPPq Notation: p => q ≡ ٱ (p  q)

6 Some typical property patterns Recurrence ◊p infinitely often ◊p eventually always Precendence pU(qUr) p* q* r (pUq)Ur (p*q)* r ¬ pWq p cannot occur before q r Pq

7 Mutual Exclusion Properties Resource is never owned by P 1 and P 2, simultaneously  (P 1 _own  P 2 _own) Whenever P 1 has requested the resource it will eventually get it (P 1 _req  P 1 _own) If P 1 requests the resource infinitely often (when the resource is free then it will infinitely often get it (strong fairness)  (P 1 _req  (P 1 _own  P 2 _own))   P 1 _own

8 Finite-state Verification OK Finite-state system Specification Verification tool  or Error trace Line 5: … Line 12: … Line 15:… Line 21:… Line 25:… Line 27:… … Line 41:… Line 47:…

9 Finite-state Verification Effective for analyzing properties of hardware systems Widespread success and adoption in industry

10 Software verification Limited success due to the enormous state spaces associated with most software systems Recent years have seen many efforts to apply those techniques to software

11 Abstraction: the key to scaling up Original system symbolic state Abstract system represents a set of states abstraction Safety: The set of behaviors of the abstract system over-approximates the set of behaviors of the original system

12 Goals… Verification tool for software, using abstraction. Easy for writing specifications. Use of existing verification tools. Verification time is reasonable. Easy to understand the counter example. Reusable. (Specifications)

13 Bandera: An open tool set for model-checking Java source code Checker Inputs Checker Outputs Optimization Control Transformation & Abstraction Tools Model Checkers Java Source void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Temporal Specification Graphical User Interface Error Trace Mapping Bandera Slicing Abstract Interpretation Static Analysis ?

14 Issue: Rendering Requirement Often difficult to formalize a requirement in temporal logic “Between the window open and the window close, button X can be pushed at most twice.” []((open && <>close) -> ((!pushX && !close) U (close || ((pushX && !close) U (close || ((!pushX && !close) U (close || ((pushX && !close) U (close || (!pushX U close)))))))))) …is rendered in LTL as...

15 Graphical User Interface Issue: Checker Dependence Checker Inputs Transformation & Abstraction Tools Model Checkers Java Source void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Temporal Specification Bandera LTL Spin CTL SMV CSP FDR mismatch!

16 Issue: Representation Dependence Source’s representation (((_collect(heap_b) == 1)\ && (BoundedBuffer_col.instance[_index(heap _b)].head == BoundedBuffer_col.instance[_index(heap _b)].tail) )\ || ((_collect(heap _b) == 3)\ && (BoundedBuffer_col_0.instance[_index(heap _b)].head == BoundedBuffer_col_0.instance[_index(heap _b)].tail) )\ || ((_collect(heap _b) == 0) && TRAP)) Heap.b.head == Heap.b.tail Model’s representation

17 Problem summary Rendering Checker dependence Representation dependence Quantification

18 BSL: Bandera Specification Language Assertion DefinitionPredicate Definition Assertion Property Specification (selective enabling) Temporal Property Specification (via pattern language) Quantification Propositions stated in terms of source code features Based on an extensible system of temporal specification patterns Heap objects are named via object quantification

19 Predicate Forms Static/Instance Data Constraints @observable [static] EXP ; Invocation @observable INVOKE ; Return @observable RETURN ; Arbitrary Locations @observable LOCATION[ ] ;

20 Semantic Issues o1.next.value == 0 ( o1 != null) && (o1.next != null) && ( )

21 Quantification (Cont’d) forall[b:BoundedBuffer]. {Full(b)} leads to {!Full(b)} globally; (heap.b == null U (heap.b != null && ([](heap.b.head == heap.b.tail) -> <>(heap.b.head != heap.b.tail)))) || [](heap.b == null)

22 Methodology: Property Specification Identify observables (propositions) in requirement Define propositions in source Java-doc comments Use GUI to select appropriate temporal pattern parameterized by declared observables Add quantification if property contains instance propositions. Given a software requirement...

23 Bounded Buffer class BoundedBuffer { Object [] buffer; int head; /* next available slot */ int tail; /* last available slot */ int bound; /* max # of elements */ public BoundedBuffer(int b) {…} public synchronized boolean isEmpty() {…} public synchronized void add(Object o) {…} public synchronized Object take () {…} } Initialization headtail Add,Add head tail Add,Take,Take headtail

24 Bounded Buffer public BoundedBuffer(int b) { bound = b; buffer = new Object[bound]; head = 0; tail = bound-1; } public synchronized boolean isEmpty() { return head == ((tail+1) % bound); } Initialization headtail Add,Add head tail Add,Take,Take headtail

25 Bounded Buffer public synchronized void add(Object o) { while ( tail == head ) try { wait(); } catch (InterruptedException ex) {} buffer_[head] = o; head = (head+1) % bound; notifyAll(); } public synchronized Object take() { while (head == ((tail+1) % bound)) try { wait(); } catch (InterruptedException ex) {} tail = (tail+1) % bound; notifyAll(); return buffer_[tail]; } Initialization headtail Add,Add head tail Add,Take,Take headtail

26 Bounded Buffer Properties Full buffers eventually become non-full Indices always stay in range Empty buffers must be added to before being taken from Buffers are constructed with positive bounds

27 Property Specification class BoundedBuffer { Object [] buffer; int head, tail, bound; public synchronized void add(Object o) {…} public synchronized Object take () {…} } Requirement 1: If a buffer becomes full, it will eventually become non-full. /** * @observable * EXP Full: (head == tail); */ Bandera Specification: FullToNonFull: {!Full(b)} responds to {Full(b)} globally; forall[b:BoundedBuffer].

28 Property Specification class BoundedBuffer { Object [] buffer; int head, tail, bound; public synchronized void add(Object o) {…} public synchronized Object take () {…} } Requirement 2: /** * @observable * EXP HeadRange: * head >= 0 && head < bound; * Exp TailRange: * tail >= 0 && tail < bound; */ Indices always stay in range. Bandera Specification: IndexRangeInvariant: {HeadRange(b) && TailRange(b)} is universal globally; forall[b:BoundedBuffer].

29 Property Specification Requirement 3: Empty buffers must added to before being taken from Bandera Specification: NoTakeWhileEmpty: {take.Return(b)} is absent after {Empty(b)} until {add.Call(b)}; forall[b:BoundedBuffer]. /** * @observable * EXP Empty: * head == ((tail+1) % bound); */ class BoundedBuffer { int head, tail, bound; public synchronized void add(Object o) {…} public synchronized Object take () {…} } /** * @observable INVOKE Call; */ /** * @observable RETURN Return; */

30 Property Specification Requirement 4: Bandera Specification: PositiveBound: enable assertions {PositiveBound}; Buffers are constructed with positive bounds public BoundedBuffer(int b) { bound = b; buffer = new Object[bound]; head = 0; tail = bound-1; } /** * @assert * PRE PositiveBound: * (b > 0); */

31 Quantification forall[b:BoundedBuffer].P(b) Solution Quantified set is not fixed varies within executions varies across executions by adding a state variable (for b) that will eventually be bound non- deterministically to each instance by enabling checking of the formula only when variable is bound to an instance

32 Data Type Abstraction int x = 0; if (x == 0) x = x + 1; Data domains (n<0) : NEG (n==0): ZERO (n>0) : POS Signs NEGPOSZERO int Code Signs x = ZERO; if (Signs.eq(x,ZERO)) x = Signs.add(x,POS); Collapses data domains via abstract interpretation:

33 Bandera hypothesis Abstraction of data domains is necessary Automated support for Defining abstract domains (and operators) Selecting abstractions for program components Generating abstract program models Interpreting abstract counter-examples will make it possible to Scale property verification to realistic systems Ensure the safety of the verification process

34 Abstraction in Bandera Abstraction Library BASL Compiler Variable Concrete Type Abstract Type Inferred Type Object x y done count o b int bool Buffer int …. Signs int bool …. Point Buffer Program Abstract Code Generator Abstracted Program Bandera Abstraction Specification Language Abstraction Definition PVS

35 Definition of Abstractions in BASL abstraction Signs abstracts int begin TOKENS = { NEG, ZERO, POS }; abstract(n) begin n {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end operator + add begin (NEG, NEG) -> {NEG} ; (NEG, ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS, ZERO) -> {POS} ; (POS, POS) -> {POS} ; (_,_) -> {NEG,ZERO,POS}; /* case (POS,NEG),(NEG,POS) */ end Automatic Generation Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2) Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2) Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2) Proof obligations submitted to PVS... Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}

36 Compiling BASL Definitions abstraction Signs abstracts int begin TOKENS = { NEG, ZERO, POS }; abstract(n) begin n {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end operator + add begin (NEG, NEG) -> {NEG} ; (NEG, ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS, ZERO) -> {POS} ; (POS, POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abs(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; } public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ } Compiled

37 Data Type Abstractions Library of abstractions for base types contains: Range(i,j), i..j modeled precisely, e.g., Range(0,0) is the signs abstraction Modulo(k), Set(v,…) Point maps all concrete values to unknown User extendable for base types Array abstractions Specified by an index abstraction and an element abstraction Class abstractions Specified by abstractions for each field

38 Interpreting Results Example: x = -2; if(x + 2 == 0) then... x = NEG; if(Signs.eq(Signs.add(x,POS),ZERO)) then... {NEG,ZERO,POS} For an abstracted program, a counter-example may be infeasible because: –Over-approximation introduced by abstraction

39 Slicing Generate reduced model Program P with specification Φ Bandera collect statements of interest From Φ (slicing criterion for Φ) Compute P’: reduce version of P. P |= Φ  P’|= Φ

40 Slicing Does program dependence-based slicing to get a reduced version of P dependences: data, control, interference, ready, wait backwards slicing Effectiveness based on structure of program Relevant In Property

41 Counter-Example: Overview Counter-example with a thousand states?!?! Bandera provides debugger-like features: map states to source code program tracing create checkpoints keep track of variables and objects UML-like object displays lock graphs

42 Using Bandera Launch the Bandera User Interface (BUI) from the command line Future runs: save which components you want to use in session files

43 Counter-Example: Program Tracing

44 Counter-Example: Lock Graph

45 Counter-Example: Object Viewer

46 Property Specification

47

48 Mandatory Performance Slide ProblemExtract Time (s) Check Time (s) Check Result States b, r1, n242674true7338120 b, r1, s134true3478 b, r1, a154true895 b, r2, s1356true528059 b, r2, a1611true27519 b, p1, s134true2507 b, p1, a154true331 d, r1, s133false88 d, r1, a152false17 Threaded Pipeline b: basic d: defective variant r: response property p: precedence property n: no reductions s: slicing a: slicing + data abstraction

49 BoundedBuffer Propery Check Data PropertySlicedNever-Claim States States Stored Buffer AssertionsYes-17797 IndexRangeInvYes1445215 IndexRangeInv, Buffer Assertions Yes14115387 Full To Non FullYes2564687 Full to Non Full, Buffer Assertions Yes25154842

50 When to Use Model Checking Control-related properties assertions pre- and post-conditions simple data invariants Container objects Stacks Queues Verifying concurrent behavior Necessity for counter-examples Automatic property verification of source code

51 Analysis Not Appropriate for Model Checking Data-related properties Verification of sorting algorithms Use other formal methods instead (theorem proving) Where static dataflow analysis is better array-bounds errors buffer overruns null-pointer de-referencing

52 Conclusions Software verification is applicable and can help. (but…) Slicing is critical. BSL making the specification writing much more simple. (but…) The counter example is intuitive.

53 Future work More quantifications (array) Support predicate with arbitrary parameters Method invocation in predicate. More model checkers. Increase the template library

Download ppt "Bandera Tool Set Presented by: Dor Nir. Outline Specification Language (LTL) Software verification problems Introduction to Bandera tool Set Bandera Specification."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Abstraction of Source Code (from Bandera lectures and talks)

Abstraction of Source Code (from Bandera lectures and talks)
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………

Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Bandera: Extracting Finite-state Models from Java Source Code James C. Corbett (Hawai’i) Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. Păsăreanu,

Bandera: Extracting Finite-state Models from Java Source Code James C. Corbett (Hawai’i) Matthew B. Dwyer, John Hatcliff, Shawn Laubach, Corina S. Păsăreanu,

Similar presentations

Ads by Google