Software Model Checking Using Bogor Software Model Checking Using - PowerPoint PPT Presentation

Software Model Checking Using Bogor Software Model Checking Using Bogor – a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science (ESSCaSS'04) Slide Set 06: Bogor’s Statespace Reductions http://bogor.projects.cis.ksu.edu http://www.cis.ksu.edu/~hatcliff/ESSCaSS04 John Hatcliff Matthew B. Dwyer Robby SAnToS Laboratory, Kansas State University, USA Support Boeing US Army Research Office (ARO) Lockheed Martin Honeywell Technology Center NASA Langley US National Science Foundation (NSF) IBM US Department of Defense Rockwell-Collins ATC Advanced Research Projects Agency (DARPA) Intel Sun Microsystems

Effective for OO Software Effective for OO Software How do we take the well-known explicit- state model-checking algorithms and enhance them to be effective for working directly on software? � How do we represent the state effectively? � How do we reduce the number of paths/states explored?

Heap Representation Heap Representation Simple Idea � Start with something like Spin � Implement objects as records/structs � Implement heap as an array of objects … not a good idea!

Heap Representations Heap Representations Two Possible Schedules Thread R Thread B S 1 1. R goes first 2. B goes first … … new Y( ) new Y( ) new X( ) new X( ) … … Naïve Heap Representation 1. R goes first 2. B goes first

Heap Representations Heap Representations Two Possible Schedules Thread R Thread B S 1 1. R goes first 2. B goes first … … new Y( ) new Y( ) new X( ) new X( ) … … Naïve Heap Representation X Y 1. R goes first 2. B goes first

Heap Representations Heap Representations Two Possible Schedules Thread R Thread B S 1 1. R goes first 2. B goes first … … new Y( ) new Y( ) new X( ) new X( ) … … Naïve Heap Representation Y X X Y 1. R goes first 2. B goes first

Heap Representations Heap Representations Two Possible Schedules Thread R Thread B S 1 1. R goes first 2. B goes first … … new Y( ) new Y( ) new X( ) new X( ) But how do we design a We desire a But how do we design a … … We desire a representation that single state here representation that single state here accomplishes this? accomplishes this? Naïve Heap Representation Observationally Observationally Y X Equivalent Equivalent ≅ X Y 1. R goes first 2. B goes first

Assessment Assessment Different thread interleavings may cause different positioning of heap objects. This will cause observationally equivalent heaps to be considered distinct states --- leading to tremendous state explosion. Observationally Equivalent ≅ garbage garbage collection & canonical ordering on objects Canonical Heap based on lexicographical order on field names in reachability (fully abstract) chain

Bogor’s Bogor’s Heap Representation eap Representation Heap Key Points… Heap State State …explicit heap representation …after each transition, a topological sort gives heap objects a canonical order …transition may create new …garbage is eliminated objects, garbage, etc. …precise heap model …precise alias information …have access to all visited states (but, efficiently stored using collapse compression) …sort walks over …sort walks over Canonical heap heap, canonicalizes, Canonical heap heap, canonicalizes, and collects info and collects info

Heap Representation Heap Representation � After each transition… � reachable heap objects are ordered � topological sort based on chains of field names � unreachable objects are discarded (garbage collection) � State compression… � objects are held in an pool and are identified by bit patterns � state vector holds bit-vectors representing objects � means that object values can be shared across states � good! because in a typical transition, very little changes in the state � Formalization of heap and thread symmetry… � presentation by Radu Iosif based on group theory See ”State-space Reductions See ”State-space Reductions for Model-Checking Dynamic Software” SoftMC 2003 for Model-Checking Dynamic Software” SoftMC 2003

Avoiding Equivalent Paths Avoiding Equivalent Paths Explosion of Paths Many paths are equivalent in the Many paths are equivalent in the sense that they cannot be sense that they cannot be distinguished by the property distinguished by the property being checked. being checked.

Partial Order Reduction (POR) Partial Order Reduction (POR) Properties of Independent Transitions s α β α still enabled here transitions s 1 s 2 commute α β Intuition r If property to be checked, doesn’t make observations about α , β then we only need to explore one of the paths

Classic PO Reductions Classic PO Reductions � Usually based on syntactic inspection of the transitions (approximation) � e.g., accesses to local variables local vars local vars pr ocess P 1 { pr ocess P 2 { global var global var i nt x, y; i nt a, b; g = x + y; … independent x = y + 1; g = a; y = 2; a = a + b; … b = a – 2; … can be explored can be explored without any } } without any interleavings interleavings

Dynamic Object-Oriented Software Dynamic Object-Oriented Software Most data is heap-allocated, but it may still be local: Shared access, i.e., Shared access, i.e., observable from others observable from others Thread-local accesses, Thread-local accesses, i.e., unobservable from i.e., unobservable from other threads other threads

Dynamic Object-Oriented Software Dynamic Object-Oriented Software Most data is heap-allocated, but it may still be local: � Local data corresponds to thread-local objects – objects that are accessible by a single thread only. � Thread-local transitions are transitions that do not access non-thread-local objects. � analogous to transitions that only access local variables � Thread-local transitions do not interfere with transitions from other threads – hence they should be considered independent.

Example Example class Process extends Thread { Node head; Create a linked-list of heap Create a linked-list of heap public void run() { allocated nodes allocated nodes head = new Node(0); Node temp = head; for (int i = 1; i < 10; i+ + ) { temp.next = new Node(i); temp = temp.next; } while (head != null) { head.x+ + ; Process1 head = head.next; } } }

Example Example class Process extends Thread { Node head; public void run() { head = new Node(0); Node temp = head; for (int i = 1; i < 10; i+ + ) { temp.next = new Node(i); temp = temp.next; Traverse list of nodes } Traverse list of nodes while (head != null) { head.x+ + ; Process1 head = head.next; } } }

Example Example class Process extends Thread { Node head; How many of these How many of these public void run() { transitions have to be transitions have to be head = new Node(0); interleaved with other Node temp = head; interleaved with other for (int i = 1; i < 10; i+ + ) { threads? threads? temp.next = new Node(i); temp = temp.next; } while (head != null) { head.x+ + ; … none! they are head = head.next; all thread local } } }

Static Approach Static Approach � Static escape analysis can be used to detect thread-local objects (and thus, thread-local transitions) � We implemented a modified version of Ruf’s escape analysis for Java � concludes for the previous program that all transitions in the thread body do not access escaping objects � However, there exists many other opportunities for thread-local-based reductions in typical programs � insight: an object can thread-local in some parts of the program but visible by more than one thread in others.

Example Revisited Example Revisited class Process extends Thread { class Process extends Thread { Node head; Node head; public void run() { public Process { head = new Node(0); head = new Node(0); Node temp = head; Node temp = head; for (int i = 1; i < 10; i+ + ) { for (int i = 1; i< 10; i+ + ) { temp.next = new Node(i); temp.next = new Node(i); temp = temp.next; temp = temp.next; shift list creation } shift list creation } } code from ‘run’ code from ‘run’ into constructor public void run() { into constructor while (head != null) { while (head != null) { head.x+ + ; head.x+ + ; head = head.next; head = head.next; } } } } } }

Example Revisited -- Example Revisited -- Assessment Assessment Static escape analysis says class Process extends Thread { Node head; these objects are escaping and, thus, are not thread-local. public Process { head = new Node(0); List of nodes are List of nodes are Node temp = head; accessed by thread that accessed by thread that for (int i = 1; i< 10; i+ + ) { creates Pr ocess here temp.next = new Node(i); creates Pr ocess here temp = temp.next; } } public void run() { while (head != null) { List of nodes are accessed head.x+ + ; List of nodes are accessed by Pr ocess thread here head = head.next; by Pr ocess thread here } } } …but the list here is not …but the list here is not visible to the creating thread! visible to the creating thread!