Download presentation
Presentation is loading. Please wait.
1
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan
2
Software Model Checking Exhaustively test code Exhaustively test code –On all possible schedules –On all possible inputs –Within a bounded finite domain
3
Software Model Checking Initial State State Space Explosion! Transitions
4
State Space Reduction Many software model checkers Many software model checkers –Verisoft, JPF, CMC, SLAM, Blast, Magic, … Many state space reduction techniques Many state space reduction techniques –Partial order reduction –Predicate abstraction Effective for control-oriented properties Effective for control-oriented properties Our work focuses on data-oriented properties Our work focuses on data-oriented properties
5
Our Approach: Tree Example Our system detects that it suffices to check: Our system detects that it suffices to check: –Every operation on every tree path –Rather than every operation on every tree Red-black tree: O(n 3 ) paths, O(n n ) trees Red-black tree: O(n 3 ) paths, O(n n ) trees Significant speedup to model checking Significant speedup to model checking
6
O(n 2 ) statesO(n) states Glass Box Model Checking backfrontenqueuedequeue Glass Box model checkerTraditional (black-box) model checker O(n 2 ) transitionsO(n) transitions 0, 1 0, 0 3, 0 0, 2 1, 0 2, 0 2, 1 1, 1 1, 2 0, 3 4, 0 3, 1 2, 2 1, 3 0, 4 0, 1 0, 0 3, 0 0, 2 1, 0 2, 0 2, 1 1, 1 1, 2 0, 3 4, 0 3, 1 2, 2 1, 3 0, 4
7
Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion
8
Glass Box: Challenges State space organization State space organization
9
State Space Reachability We cannot use reachability through transitions (black-box approach) We cannot use reachability through transitions (black-box approach) Programmers must provide a class invariant Programmers must provide a class invariant State space: the set of all type-correct states within a specified bound which satisfy the invariant State space: the set of all type-correct states within a specified bound which satisfy the invariant State is disconnected, but we still need to check one of its transitions!
10
class LinkedList { static class Node { Node next; Object value; } Node head; boolean repOk() { Set visited = new java.util.HashSet(); for (Node n = head; n != null; n = n.next) { if (!visited.add(n)) return false; } return true; } } class LinkedList { static class Node { tree Node next; Object value; } tree Node head; boolean repOk() { // writing invariants is easy and fun! return true; } Invariants: Specification Singly-linked list: absence of cycles Singly-linked list: absence of cycles java.util.TreeMap 1670 lines of code 20 lines of invariant
11
Glass Box: Search Algorithm I = states satisfying the invariant S = I × { transitions } while (S is not empty) { t = any transition in S t = any transition in S run t run t verify the post-condition verify the post-condition T = { transitions similar to t } T = { transitions similar to t } S = S – T S = S – T} How do we represent these sets, and perform operations on them, efficiently?
12
Glass Box: Challenges State space organization State space organization –Class invariants State space representation State space representation –Binary decision diagrams
13
Binary Decision Diagrams Compact representation of exponentially large yet structured sets Perform set operations directly root is null left is null right is null root is red left is red root is red left is red right is red
14
BDDs: Red-Black Trees Max Height Set Size BDD Size 120 2712 33458 4597226 5238526744 6427152482302367 711233872287279058540617359
15
Glass Box: Challenges State space organization State space organization –Class invariants State space representation State space representation –Binary decision diagrams State space reduction State space reduction –Monitoring field access –Monitoring information flow –Pruning isomorphic structures –Ensuring soundness
16
Monitoring Field Access t := op = pop ۸ head = n 0 ۸ n 0.value = 3 ۸ n 0.next = n 1 ۸ n 1.value = 7 ۸ n 1.next = n 2 ۸ n 2.value = 4 ۸ n 2.next = n 3 ۸ n 3.value = 2 ۸ n 3.next = null Object pop() { if (head == null) return null; Object v = head.value; head = head.next; return v; } n0n0 n1n1 n2n2 n3n3 3 7 4 2 head ۸head = n 0 ۸ n 0.value = 3 ۸ n 0.next = n 1 T := op = pop ۸ head = n 0 ۸ n 0.value = 3 ۸ n 0.next = n 1 ۸head = n 0 ۸ n 0.next = n 1 T := op = pop ۸ head = n 0 ۸ n 0.next = n 1
17
Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion
18
Performance: Stack Max Size BDD Nodes Transitions Glass Box JPF Black Box 194339 214514132 31651033115 418510949450 8265-264420 16425-- 32745-- 641405-- 1282685--
19
Performance: Stack Max Size BDD Nodes Time (s) Glass Box JPF Black Box 190.0160.5330.008 2140.0160.6690.009 3160.0171.3490.012 4180.0177.2330.030 8260.017-2.242 16420.018-- 32740.018-- 641400.020-- 1282680.023--
20
Performance: Queue Max Size BDD Nodes Transitions Glass Box JPF Black Box 117560127 236789756356 3468-6610 4619-176430 811413-- 1627221-- 3283437-- 64287369-- 12812292133--
21
Performance: Queue Max Size BDD Nodes Time (s) Glass Box JPF Black Box 1170.0191.1210.011 2360.02047.5980.044 3460.020-0.161 4610.020-2.126 81140.022-- 162720.028-- 328340.050-- 6428730.086-- 128122920.118--
22
Performance: Red-Black Tree Max Height BDD Nodes Transitions Glass Box JPF Black Box 12864912 249328-936 33860108-18143370 424400366-- 51283141094-- 67813692968-- 762632287524-- Only 10 seconds to verify over 2 70 red-black trees!
23
Performance: Red-Black Tree Max Height BDD Nodes Time (s) Glass Box JPF Black Box 1280.0220.6170.013 24930.028-0.084 338600.066-431.682 4244000.134-- 51283140.340-- 67813691.543-- 7626322810.340-- Only 10 seconds to verify over 2 70 red-black trees!
24
Performance: File System Max Height BDD Nodes Transitions Glass Box JPF Black Box 27846212901570 31764135-14820 43728240-552900 56531380-- 69984558-- 713467777-- 8217551040-- 9310311350-- 10409541710--
25
Performance: File System Max Height BDD Nodes Time (s) Glass Box JPF Black Box 27840.0356.8830.045 317640.057-0.201 437280.075-6.267 565310.096-- 699840.109-- 7134670.125-- 8217550.147-- 9310310.167-- 10409540.203--
26
Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion
27
Related Work Software model checkers Software model checkers –Verisoft [Godefroid] –Java PathFinder [Visser et al] –CMC [Musuvathi, Park, Chou, Engler, Dill] –Bandera [Corbett, Dwyer, Hatcliff, Robby, et al] –Bogor [Dwyer, Hatcliff, Hoosier, Robby] –SLAM [Ball, Majumdar, Millstein, Rajamani] –Blast [Henzinger, Jhala, Majumdar] –Magic [Chaki, Clarke, Groce, Jha, Veith] –XRT [Grieskamp, Tillmann, Shulte] –JCAT [DeMartini, Iosif, Sisto]
28
Related Work State space reduction techniques State space reduction techniques –Abstraction & refinement [SLAM; Blast; Magic] –Partial order reduction [Godefroid; Flanagan] –Heap canonicalization [Musuvathi, Dill; Iosif] –Symmetry reduction [Ip, Dill]
29
Related Work Static analysis tools Static analysis tools –TVLA [Sagiv, Reps, Wilhelm] –PALE [Moeller, Schwartzbach] Formal verification using theorem provers Formal verification using theorem provers –ESC/Java [Nelson et al] –ACL2 [Kaufmann, Moore, et al]
30
Outline Introduction to glass box model checking Introduction to glass box model checking Challenges Challenges Experimental results Experimental results Related work Related work Future work and conclusion Future work and conclusion
31
Future Work Data structures are just the beginning Data structures are just the beginning Applicable to any system where we can: Applicable to any system where we can: –Describe the state space using invariants –Transitions depend on a small part of the state Can significantly speedup model checking Can significantly speedup model checking
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.