Presentation is loading. Please wait.

Presentation is loading. Please wait.

An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer.

Published byAugustus Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer."— Presentation transcript:

1 An extensible and highly-modular model checking framework http://bogor.projects.cis.ksu.edu SAnToS Laboratory, Kansas State University, USA Matt Dwyer John Hatcliff Principal Investigators Support ARO CIP/SW URI award DAAD190110564 DARPA/AFRL project AFRL-F33615-00-C-3044 NSF SEL Program under Award CCR-0306607 Students Robby

2 Model Checking-based Analyses Given a finite-state model and property specifications Explores all possible states that are reachable from the initial state and check the properties For concurrent programs, explore all possible interleavings of threads Needs to remember all states that are visited for termination

3 Model Checking-based Analyses Rich-class of correctness properties Precise semantic reasoning Relative to typical static analyses Pros Cons Scalability!

4 Issues in Model Checking Desperately need all reduction techniques one can think of Reducing the number of interleavings that are considered (e.g., slicing, POR) Reducing the number of states that are explored (e.g., slicing, abstractions, symmetry) Reducing the number of bits needed to store the states (e.g., compression, collapse)

5 Issues in Model Checking — Experience with Existing Tools Significant experience using existing tools hand-crafted models as target of translation Clever mappings required to express artifact features, e.g., heap data for efficiency, e.g., symmetry reductions Often times additional state variables were needed to express events in state-based formalisms to state properties over extent of a reference type to implement scheduling policies

6 Issues in Model Checking Need complete control on all aspects of a model checker Efficient mapping of software artifact onto model checking framework To implement the reduction techniques Rapid prototyping

7 Issues in Model Checking — Custom Model Checkers Modifying a model checker is daunting dSpin (Iosif) SMV (Chan) Building a custom model checker is a point-solution JPF, SLAM, … Tool-kits don’t yield optimized checkers NuSMV, Concurrency Factory, “The Kit”, … Bogor incorporates the advantages of each of these approaches

8 We would like …. Rich core input language for modeling dynamic and concurrent system Extensible input language Minimizes syntactic modification when extending Minimizes effort for customized semantics Highly-capable core checker State-of-the-art reduction algorithms Customizable checker components Eases specialization or adaptation to a particular family of software artifacts Domain-experts with some knowledge of model checking can customize the checker on their own

9 Rich Input Language Built on guarded-assignment language Natural to model concurrent system Features to support dynamic, concurrent software artifacts Dynamic creation of threads and objects Automatic memory management (ala Java) Inheritance, exceptions, (recursive) functions Type-safe function pointers

10 Extensible Input Language Allow model checker input language to directly support natural domain abstractions For example, chan in Promela Hides intricate details of how a communication channel is implemented Only focuses on the behavior of the channel that is relevant, e.g., synchronous, rendezvous, etc. Fewer details of states that need to be stored, and possibly less states that needs to be explored Syntax does not need to change, and new abstractions can be added on demand

11 Extensible Input Language — Resource Contention Example Process#1 Process#3 Process#2 Process#4 acquire release Resource Pool

12 Extensible Input Language — Resource Contention Example Process#1 Process#3 Process#2 Process#4 acquire Resource Pool

13 Extensible Input Language — Resource Contention Example Process#1 Process#3 Process#2 Process#4 release Resource Pool How do we represent the resource pool if we are checking for example deadlock? How do we encode the representation in the model?

14 Extensible Input Language — Set Extension Example (Syntax) Bogor allows new abstract types and abstract operations as first-class construct

15 Extensible Input Language — Set Extension Example (Semantics) public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type Reuse Java collection to implement set Wrapper for add operation Constructs a bit vector that represents the set instead of encoding the HashSet instance Constructs a bit vector that represents the set instead of encoding the HashSet instance

16 Extensible Input Language — Set Extension Example (Semantics) R GB Suppose the references to resources are represented as integers R, G, B The state of the set consists of encodings of the references to resources And ordered!

17 Extensible Input Language — Observable Extension Example Expression/action extensions can: be non-deterministic have access to all the information in the current state and all previous states in the DFS stack Easy to express predicates/functions over dynamic data e.g., non-deterministically choose a reachable heap instance from a given reference

18 Extensible Input Language — Observable Extension Example (Syntax) An invariant example using Bogor function expressions Function expressions can be recursive … …

19 Extensible Input Language — Observable Extension Example (Semantics) public IValue forAll(IExtArguments arg) { String predFunId =.. MySet set = (MySet) arg.getArgument(1); IValue[] els = set.elements(); for (int i = 0; i < els.length; i++) { IValue val = ee.evaluateApply(predFunId, new IValue[] {els[i] }); if (isFalse(val)) return getBooleanValue(false); } return getBooleanValue(true); }

20 Highly Capable Core Checker Bogor implements state-of-the-art reduction techniques State reductions [Robby-al ‘03] Collapse compression (based on Holzmann ‘97) Heap symmetry (based on Iosif ‘02) Thread symmetry (based on Bosnacki ‘02) Interleaving reductions [Dwyer-al ‘03] Partial order reductions (based on Clarke-al ‘93)

21 Verified Counter Example Lexer Parser Type Checking Semantic Analyses IExpEvaluatorITransformer ISearcher IActionTakerIBacktrackIF IStateMgr IValueFactoryISchedulingStg IStateFactory.bir.config Customizable Architecture

22 Assessment Dynamic Escape Analysis for POR (150 LOC, 20x) Rich-forms of heap quantification Dynamic atomicity (5 LOC, 5x) Middle-ware model Priority Scheduling (200 LOC, 10x) Relative-time environment (10x) Lazy-time environment (240 LOC, 100x) Quasi-cyclic search (200 LOC, 100x)

23 Tool Availability (Summer ’03) http://bogor.projects.cis.ksu.edu

Download ppt "An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer."

Similar presentations

Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)

Jeremy Morse, Mikhail Ramalho, Lucas Cordeiro, Denis Nicole, Bernd Fischer ESBMC 1.22 (Competition Contribution)
Model Checking Concurrent Software Shaz Qadeer Microsoft Research.

Model Checking Concurrent Software Shaz Qadeer Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.

Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.

Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
1 BOGOR – A Flexible Framework For Creating Model Checkers Presented by : Roli Shrivastava 20 March 2007.

1 BOGOR – A Flexible Framework For Creating Model Checkers Presented by : Roli Shrivastava 20 March 2007.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Bogor Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Rockwell-Collins.

Bogor Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Rockwell-Collins.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
1 Introduction to CS301. 2 Agenda Syllabus Schedule Lecture: the management of complexity.

1 Introduction to CS Agenda Syllabus Schedule Lecture: the management of complexity.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

1 Ivan Lanese Computer Science Department University of Bologna Italy Concurrent and located synchronizations in π-calculus.

Similar presentations

Ads by Google