Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000.

Published byLynn Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "Shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000."— Presentation transcript:

1 shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000

2 2 why software model checking? want to analyze specs but no commensurate analysis only theorem proving and type checking? formal specifications are write-only model checking offers automation of deep analysis focus on presence not absence of errors rich property language

3 3 how would model checking differ for software? sequential focus not on concurrency relational state itself is relational essence of Z, RDB, OO incremental & modular global operations declarative style abstract all software is infinite state

4 4 progress so far nitpick (1995) a model finder for relational calculus exploits inherent symmetry in type structure painful language, didn’t scale (but caught bugs) abstraction? too hard to find abstractions concrete search within finite ‘scope’ alloy/alcoa (1998) richer language (closer to Z, UML) SAT-based analysis scales much better examples architectures (COM, HLA), protocols (IPv6, phones) code (CTAS), metamodels (UML)

5 5 BART railway problem problem prevent train collisions on same track, or tracks too close mechanism gates before points trains stop at closed gates problem where are gates? is policy safe?

6 6 sample alloy model model Bart { domain {Segment, Gate, Train} state Segments { succ, overlaps : Segment -> Segment gate : Segment! -> Gate? partition Open, Closed : Gate on : Train -> Segment ! } cond Safety {all s | sole s.overlaps.~on} inv Policy {all s | sole (s.conflicts + s).gate & Open} op TrainsMove (ts : Train) { all t : ts | t.on' in t.on.succ no (ts.on.gate & Closed) all t : Train - ts | t.on = t.on’ } assert PolicyWorks {all t | TrainsMove (t) && Safety -> Safety'} relational state declarative description modular analysis

7 7 alcoa: alloy constraint analyzer how Alcoa is used start with minimal description consistent? (too many constraints?) consequences? (too few?) what analysis involves finding models of relational formula for op, sample transition for negation of assertion, counter scope limit #elements in basic types in scope of 3, 2^9 values / relation reduce map back MAPPING SAT PROBLEM SAT SOLUTION SAT solver DESIGN PROBLEM DESIGN ANALYSIS FSE 96 (BDDs) FSE 98 (WalkSAT) 1999 (SATO)

8 8 analyzing code idea treat procedure as operation to check with Alcoa compose from declarative specs of statements combine paths with disjunction features expressive property language no need to adapt analysis to properties counterexample is trace of states modular – use spec in place of code unsound – small scope, few unrollings

9 9 example a procedure class List {List next} void insert (List first, List rest) {first.next = rest} an assertion insert && Acyclic (rest) -> Acyclic’ (first) where Acyclic (l : List) {no x : l.*next | x in x.+next} how insert is translated (first.next’ = rest)  (all x | x != first -> x.next = x.next’)  (rest’ = rest) a counterexample first = rest = L1 next = { } next’ = {L1 -> L1}

10 10 programming language procedures & classes program ::= classdecl* procdecl* classdecl ::= class class { class field, } procdecl ::= class proc ( class var, ) { stmt } statements stmt ::= var = term | term. field = term | return term | while pred { stmt } | if pred stmt stmt | stmt ; stmt terms & predicates term ::= null | var | term. field pred ::= term == term | ! pred | pred && pred

11 11 formula language declarations sigdecl ::= sig sig { type { type, } state { compdecl } } compdecl ::= set : expr mult | relation : expr mult -> expr mult mult ::= ! | ? | + expressions expr ::= set | type | relation | expr + expr | expr & expr | expr - expr | expr. expr | ~ expr | * expr | + expr | { v | formula } formulas formula ::= expr = expr | expr in expr | all v | formula | some v | formula | ! formula | formula && formula | let v be expr | formula

12 12 modelling state for each procedure sig State { type { Object } state { … } } for each class C state { C : Object } for each arg or var v of class C state { v : C ? } for each field f in class C of class D state { f : C -> D ? } example class List {List next} void insert (List first, List rest) { first.next = rest } translation sig insertState { type {Object} state {first, rest : List ?, next : List -> List ? } op insert () { first.next’ = rest all x | x != first -> x.next = x.next’ rest’ = rest } }

13 13 sequential composition state shorthands represent pre-state, post-state by structures pre and post of sig State c and c’ are short for pre :: c and post :: c composition sugar F ; G is short for some s : State | (let post be s | F)  (let pre be s | G) example statements a = b.next ; c = a.next formulasa’ = b.next ; c’ = a.next desugar to ::(post :: a) = (pre :: b). (pre :: next) ; (post :: c) = (pre :: a). (pre :: next) desugar ;some s : State | (s :: a) = (pre :: b). (pre :: next)  (post :: c) = (s :: a). (s :: next) resugarsome s : State | (s :: a) = b.next  c’ = (s :: a). (s :: next)

14 14 translation scheme Java statement to logical formula S n : stmt  formula n is # loop iters Java term to set/relation expression E : term  expr Java predicate to formula P : pred  formula

15 15 translation rules statements S  a ; b  = S  a  ; S  b  S  if p a b  = (P  p   S  a  )  (! P  p   S  b  ) S i  while p { a }  = (P  p   S  a  ; S i-1  while p { a }  )  Close (! P  p  ) S 0  while p { a }  = Close (! P  p  ) S  v = t  = Close (v’ = E  t  ) S  t.f = u  = Close (E  t . f’ = E  u   all x | x != E  t  -> x.f = x. f’) expressions E  v  = v E  t.f  = E  t . f predicates P  t == u  = (E  t  = E  u  ) P  !p  = ! P  p  Close (F) = F && v’ = v && all x | x.f = x.f’ (all v, f not appearing primed in F)

16 16 from formula to counterexample assertion all s, s’ | pre (s)  proc (s,s’) -> post (s, s’) negate some s, s’ | pre (s)  proc (s,s’)  ! post (s, s’) proc (s, s’) is F (s,s’) ; G (s, s’) ; H (s, s’) desugar ; some s1| ((some s0 | F(s, s0)  G (s0, s1))  H (s1, s’) skolemize pre (s)  F (s, s0)  G (s0, s1)  H (s1, s’)  ! post (s, s’) now find model in finite scope obtain counterexample

17 17 null derefs (1) introduce a null object Null : Object! Null.f = Null (initially for all field relations f) E  null  = Null make field relations total state { f : C -> D ! } define derefs performed in a term Derefs  t.f  = Derefs  t  Derefs  v.f  = v instrument program to collect derefs derefs : Object S  t.f = u  = …  derefs’ = derefs + Derefs  t.f  + Derefs  u 

18 18 null derefs (2) assert no null derefs pre  S  proc  -> ! Null in derefs’ interpreting results find first state s such that s :: derefs contains Null means null deref in that statement

19 19 example in full swap procedure List swap (List c) { List p; if (c != null) { p = c ; c = c.next ; p.next = c.next ; c.next = p ; } return c; } translation no derefs  ((c != null  ( p’ = c  c’ = c  all x | x.next’ = x.next ; c’ = c.next  p’ = p  all x | x.next’ = x.next  derefs’ = derefs + c ; p.next’ = c.next  p’ = p  c’ = c  all x | x != p -> x.next’ = x.next  derefs’ = derefs + c + p ; c.next’ = p  p’ = p  c’ = c  all x | x != c -> x.next’ = x.next  derefs’ = derefs + c )  (c = null  p’ = p  c’ = c  all x | x.next’ = x.next  derefs’ = derefs )) ; result = c

20 20 jumps add continuations S : stmt  formula  formula translation becomes S  a ; b   = S  a  (S  b   ) S  if p a b   = (P  p   S  a   )  (!P  p   S  b   ) S i  while p { a }   = (P  p   S  a  ; S i-1  while p { a }   )  ! P  p    S 0  while p { a }   = ! P  p    S  v = t   = Close (v’ = E  t  ) ;  S  return t   = Close (result = E  t  ) cleaner treatment of null derefs instead of null, make fields partial S  t.f = u   = (some E  t   E  t . f’ = E  u  ;  )  no E  t 

21 21 a small experiment subject 8 sample list procedures from [Dor, Rodeh, Sagiv 99] merge, delete, search, reverse, etc translated by hand into Alloy properties checked no null derefs, result not null no cycles created set inclusions (eg, for delete, merge) results found bugs identified by [DRS99] and one more for scope of 3, 2 unrollings: a few secs, except for merge

22 22 sample specs sample properties assert NoNullDerefs {Merge -> Null !in Derefs’} assert NoLoss {Merge -> result.*next = p.*next + q.*next} assert NoCycles {Merge && Acyclic (p) && Acyclic (q) -> Acyclic (result)} counterexample to NoCycles p = O1 q = O1 next = {O1 -> O0} … result = O1 next’ = {O1 -> O1}

23 23 what next? basic optimizations propagating equality: reduce by factor of #rel? new version of Alcoa (5/00) symmetry & other optimizations new Alloy: signatures, sequence, closure extend to APIs use abstract relations instead eg, Swing objects non termination see whether (state = state’) in some loop iteration global properties check object model invariants eg, every active aircraft is tracked

24 24 related work shape analysis k-limiting loss of completeness, not soundness Sagiv, Reps, Wilhelm relational state ‘execute’ with transfer functions instrumentation for precision pre-post relationships? model checking Kautz, McAllester & Selman: reachability with SAT Biere, Cimatti, Clarke, Fujita & Zhu: bounded LTL theorem proving ESC : sound but less expressive properties

25 25 conclusion key ideas a form of testing, but exhaustive within scope rich property language relational formula good match for Java can accommodate partial specs acknowledgments analysis ideas: Rinard tool: Schechter, Shlyakhter SAT solvers: Nelson, Selman, Kautz, Zhang Moore: 1980-2000, 3 hrs -> 1 sec Alcoa! Free while supplies last! http://sdg.lcs.mit.edu/alcoa

Download ppt "Shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 4.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2013 Lecture 4.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
– Seminar in Software Engineering Cynthia Disenfeld

– Seminar in Software Engineering Cynthia Disenfeld
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
CS162 Week 2 Kyle Dewey. Overview Continuation of Scala Assignment 1 wrap-up Assignment 2a.

CS162 Week 2 Kyle Dewey. Overview Continuation of Scala Assignment 1 wrap-up Assignment 2a.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Similar presentations

Ads by Google