Software Model Checking Using Bogor Software Model Checking Using - PowerPoint PPT Presentation

Software Model Checking Using Bogor Software Model Checking Using Bogor – a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science (ESSCaSS'04) Slide Set 01: Bogor Overview http:/ / bogor.projects.cis.ksu.edu http:/ / www.cis.ksu.edu/ ~hatcliff/ ESSCaSS04 John Hatcliff Matthew B. Dwyer Robby SAnToS Laboratory, Kansas State University, USA Support Boeing US Army Research Office (ARO) Lockheed Martin Honeywell Technology Center US National Science Foundation (NSF) NASA Langley IBM US Department of Defense Rockwell-Collins ATC Advanced Research Projects Agency (DARPA) Intel Sun Microsystems

Bogor Bogor

Bogor – Bogor – Software Model Checking Framework Software Model Checking Framework

Bogor – Bogor – Direct support for OO software Direct support for OO software Extensive support for checking concurrent OO software Software targeted algorithms… Direct support for… unbounded dynamic creation � thread & heap symmetry � of threads and objects compact state representation � automatic memory � partial order reduction � management (garbage techniques driven by collection) object escape analysis virtual methods, … � � locking information …, exceptions, etc. � � supports virtually all of Java �

Bogor – Bogor – Eclipse-based Tool Components Eclipse-based Tool Components Next generation of Cadena Bandera Java Model- CORBA Component Model checking Tool Set verification SpEx JML Verification, etc. Tool Development Framework Architecture allows encapsulation/integration with other verification tools using IBM’s Eclipse Integrated Development Environment

Bogor – Bogor – Domain Specific Model-Checking Domain Specific Model-Checking Modeling language and Algorithms easily customized to different domains Domain X Domain Y Domain Z Extensible modeling language and plug-in architecture allows Bogor to be customized to a variety of application domains

Variety of Application Domains Variety of Application Domains Hardware Device Drivers Avionics Hardware Device Drivers Avionics Telephony Automotive GUI Telephony Automotive GUI

Leveraging Domain Knowledge Leveraging Domain Knowledge � Holzmann developed a customized model extraction from C to Spin � Translation using pattern matching of particular domain idioms � In essence, an abstract machine for a particular domain � Very effective at finding Lucent Path Star Lucent Path Star subtle defects Telephone Switch Telephone Switch

Variety of System Descriptions Variety of System Descriptions State Machines Design Notations State Machines Design Notations Model Checker Different Different levels of levels of abstraction! Byte code abstraction! Byte code Source code Source code

The Goal The Goal Avionics State Machines Avionics State Machines Model-checking Domain & Abstraction Engine Extensions Abstract machine tailored to domain and level of abstraction Abstract machine tailored to domain and level of abstraction

The Goal The Goal Source code Device Drivers Source code Device Drivers Model-checking Domain & Abstraction Domain & Abstraction Engine Extensions Extensions Abstract machine tailored to domain and level of abstraction Abstract machine tailored to domain and level of abstraction

The Goal The Goal Design Notations Automotive Design Notations Automotive Model-checking Domain & Abstraction Domain & Abstraction Engine Extensions Domain & Abstraction Extensions Extensions Abstract machine tailored to domain and level of abstraction Abstract machine tailored to domain and level of abstraction

Customization Mechanisms Customization Mechanisms Bogor -- Extensible Modeling Language Threads, Domain-Specific Objects, + Methods, Abstractions Exceptions, etc. Core Modeling Language Bogor -- Customizable Checking Engine Modules …existing Domain-Specific Scheduling modules… Scheduler Strategy Domain- State-space State Domain-Specific Specific Search State Rep. Exploration Representation Core Checker Modules Customized Checker Modules

Outline Outline Bogor Modeling Language and UI � Example: Dining philosophers Overview � Demo: Bogor UI and BIR Case Wizard Concept of Bogor Conclusions Extensions � The utility of a customizable model- � Extending the syntax checking platform � Adding semantics via Java

Bogor Modeling Language Bogor Modeling Language − BIR BIR BIR = Bandera Intermediate Representation � Used as the intermediate language for the Bandera Tool Set for model-checking Java programs � Guarded command language � when < condition> do < command> � Native support for a variety of object- oriented language features � dynamically created objects and threads, exceptions, methods, inheritance, etc.

An n Examp xample e − 2 Dining Philosophers 2 Dining Philosophers right left right left

A BIR BIR Examp xample e − 2 Dining Philosophers 2 Dining Philosophers system TwoDiningPhilosophers { record Fork { boolean isHeld; } main thread MAIN() { thread Phil(Fork left, Fork right) { Fork fork1; loc loc0: // take left fork Fork fork2; when !left.isHeld do { left.isHeld := true; loc loc0: } goto loc1; do { // create forks loc loc1: // take right fork fork1 := new Fork; when !right.isHeld do fork2 := new Fork; { right.isHeld := true; } goto loc2; // start philosophers start Phil(fork1, fork2); loc loc2: // put right fork start Phil(fork2, fork1); do { right.isHeld := false; } } return; goto loc3; } loc loc3: // put left fork do { left.isHeld := false; } goto loc0; } }

A BIR BIR Examp xample e − 2 Dining Philosophers 2 Dining Philosophers system TwoDiningPhilosophers { Uses a record to model forks record Fork { boolean isHeld; } Uses a record to model forks main thread MAIN() { thread Phil(Fork left, Fork right) { Fork fork1; loc loc0: // take left fork Fork fork2; when !left.isHeld do { left.isHeld := true; loc loc0: } goto loc1; do { // create forks loc loc1: // take right fork fork1 := new Fork; when !right.isHeld do fork2 := new Fork; { right.isHeld := true; } goto loc2; // start philosophers start Phil(fork1, fork2); loc loc2: // put right fork start Phil(fork2, fork1); do { right.isHeld := false; } } return; goto loc3; } loc loc3: // put left fork do { left.isHeld := false; } goto loc0; } }

A BIR BIR Examp xample e − 2 Dining Philosophers 2 Dining Philosophers Thread declarations system TwoDiningPhilosophers { Thread declarations record Fork { boolean isHeld; } main thread MAIN() { thread Phil(Fork left, Fork right) { Fork fork1; loc loc0: // take left fork Fork fork2; when !left.isHeld do { left.isHeld := true; loc loc0: } goto loc1; do { // create forks loc loc1: // take right fork fork1 := new Fork; when !right.isHeld do fork2 := new Fork; { right.isHeld := true; } goto loc2; // start philosophers start Phil(fork1, fork2); loc loc2: // put right fork start Phil(fork2, fork1); do { right.isHeld := false; } } return; goto loc3; } loc loc3: // put left fork do { left.isHeld := false; } goto loc0; } }

A BIR BIR Examp xample e − 2 Dining Philosophers 2 Dining Philosophers system TwoDiningPhilosophers { record Fork { boolean isHeld; } main thread MAIN() { thread Phil(Fork left, Fork right) { Fork fork1; loc loc0: // take left fork Local variable declarations Local variable declarations Fork fork2; when !left.isHeld do { left.isHeld := true; loc loc0: } goto loc1; do { // create forks loc loc1: // take right fork fork1 := new Fork; when !right.isHeld do fork2 := new Fork; { right.isHeld := true; } goto loc2; // start philosophers start Phil(fork1, fork2); loc loc2: // put right fork start Phil(fork2, fork1); do { right.isHeld := false; } } return; goto loc3; } loc loc3: // put left fork do { left.isHeld := false; } goto loc0; } }

A BIR BIR Examp xample e − 2 Dining Philosophers 2 Dining Philosophers system TwoDiningPhilosophers { record Fork { boolean isHeld; } main thread MAIN() { thread Phil(Fork left, Fork right) { Fork fork1; loc loc0: // take left fork Fork fork2; when !left.isHeld do { left.isHeld := true; loc loc0: } goto loc1; do { // create forks loc loc1: // take right fork Control locations fork1 := new Fork; when !right.isHeld do Control locations fork2 := new Fork; { right.isHeld := true; } goto loc2; // start philosophers start Phil(fork1, fork2); loc loc2: // put right fork start Phil(fork2, fork1); do { right.isHeld := false; } } return; goto loc3; } loc loc3: // put left fork do { left.isHeld := false; } goto loc0; } }

A BIR BIR Examp xample e − 2 Dining Philosophers 2 Dining Philosophers … aka “guarded transitions”, Guarded transformations “guarded commands” thread Phil(Fork left, Fork right) { loc loc0: // take left fork when !left.isHeld do { When condition When condition left.isHeld := true; } goto loc1; is true is true Execute these Execute these loc loc1: // take right fork when !right.isHeld do statement(s) statement(s) { right.isHeld := true; } atomically goto loc2; atomically loc loc2: // put right fork Trivially true do { right.isHeld := false; } Trivially true goto loc3; guards guards loc loc3: // put left fork do { left.isHeld := false; } goto loc0; } }