efficient software model checking of data structure properties paul t. darga chandrasekhar boyapati...
Post on 21-Dec-2015
217 views
TRANSCRIPT
Efficient Software Model Checking of Data Structure Properties
Efficient Software Model Checking of Data Structure Properties
Paul T. DargaPaul T. Darga
Chandrasekhar BoyapatiChandrasekhar Boyapati
The University of MichiganThe University of Michigan
Software Model CheckingSoftware Model Checking
ExhaustivelyExhaustively test code test code– On all possible schedulesOn all possible schedules– On all possible inputsOn all possible inputs– Within a bounded finite domainWithin a bounded finite domain
Software Model CheckingSoftware Model Checking
Initial State
State Space Explosion!
Transitions
State Space ReductionState Space Reduction
Many software model checkersMany software model checkers– Verisoft, JPF, CMC, SLAM, Blast, Magic, …Verisoft, JPF, CMC, SLAM, Blast, Magic, …
Many state space reduction techniquesMany state space reduction techniques– Partial order reductionPartial order reduction– Predicate abstractionPredicate abstraction
Effective for Effective for control-orientedcontrol-oriented properties properties
Our work focuses on Our work focuses on data-oriented data-oriented propertiesproperties
Our Approach: Tree ExampleOur Approach: Tree Example
Our system detects that it suffices to check:Our system detects that it suffices to check:– Every operation on every tree Every operation on every tree pathpath– Rather than every operation on every Rather than every operation on every treetree
Red-black tree: O(nRed-black tree: O(n33) paths, O(n) paths, O(nnn) trees) trees Significant speedup to model checkingSignificant speedup to model checking
O(n2) states O(n) states
Glass Box Model CheckingGlass Box Model Checking
backfront
enqueuedequeue
Glass Box model checkerTraditional (black-box) model checker
O(n2) transitions O(n) transitions
0,1
0,0
3,0
0,2
1,0
2,0
2,1
1,1
1,2
0,3
4,0
3,1
2,2
1,3
0,4
0,1
0,0
3,0
0,2
1,0
2,0
2,1
1,1
1,2
0,3
4,0
3,1
2,2
1,3
0,4
OutlineOutline
Introduction to glass box model Introduction to glass box model checkingchecking
ChallengesChallenges Experimental resultsExperimental results Related workRelated work Future work and conclusionFuture work and conclusion
Glass Box: ChallengesGlass Box: Challenges
State space organizationState space organization
State Space ReachabilityState Space Reachability
We cannot use reachability through We cannot use reachability through transitions (black-box approach)transitions (black-box approach)
Programmers must provide a Programmers must provide a class invariantclass invariant State space: the set of all type-correct states State space: the set of all type-correct states
within a specified bound which satisfy the within a specified bound which satisfy the invariantinvariant
State is disconnected, but
we still need to check one of its
transitions!
class LinkedList { static class Node { Node next; Object value; } Node head; boolean repOk() { Set visited = new java.util.HashSet(); for (Node n = head; n != null; n = n.next) { if (!visited.add(n)) return false; } return true; }}
class LinkedList { static class Node { tree Node next; Object value; } tree Node head; boolean repOk() {
// writing invariants is easy and fun!
return true; }}
Invariants: SpecificationInvariants: Specification
Singly-linked list: absence of cyclesSingly-linked list: absence of cycles
java.util.TreeMapjava.util.TreeMap1670 lines of code1670 lines of code20 lines of invariant20 lines of invariant
Glass Box: Search AlgorithmGlass Box: Search AlgorithmII = states satisfying the invariant = states satisfying the invariant
SS = I × { transitions } = I × { transitions }
while (while (SS is not empty) { is not empty) {
t = any transition in t = any transition in SS
run run tt
verify the post-conditionverify the post-condition
T T = { transitions similar to = { transitions similar to tt } }
SS = = SS – – TT
}}
How do we represent these sets, and perform
operations on them, efficiently?
Glass Box: ChallengesGlass Box: Challenges
State space organizationState space organization– Class invariantsClass invariants
State space representationState space representation– Binary decision diagramsBinary decision diagrams
Binary Decision DiagramsBinary Decision Diagrams
Compact representation of exponentially large yet structured sets
Perform set operations directly
root is null
left is null
right is nullright is null
root is redroot is red
left is redleft is red
root is red
left is red
right is red right is red
BDDs: Red-Black TreesBDDs: Red-Black Trees
Max HeightMax Height Set SizeSet Size BDD SizeBDD Size
11 22 00
22 77 1212
33 3434 5858
44 597597 226226
55 238526238526 744744
66 4271524823042715248230 23672367
77 11233872287279058540112338722872790585406161
73597359
Glass Box: ChallengesGlass Box: Challenges
State space organizationState space organization– Class invariantsClass invariants
State space representationState space representation– Binary decision diagramsBinary decision diagrams
State space reductionState space reduction– Monitoring field accessMonitoring field access– Monitoring information flow Monitoring information flow – Pruning isomorphic structuresPruning isomorphic structures– Ensuring soundnessEnsuring soundness
Monitoring Field AccessMonitoring Field Access
t := op = pop t := op = pop ۸۸ head = nhead = n00
۸۸ nn00.value = 3 .value = 3 ۸۸ nn00.next = n.next = n11
۸۸ nn11.value = 7 .value = 7 ۸۸ nn11.next = n.next = n22
۸۸ nn22.value = 4 .value = 4 ۸۸ nn22.next = n.next = n33
۸۸ nn33.value = 2 .value = 2 ۸۸ nn33.next = null.next = null
Object pop() { if (head == null) return null; Object v = head.value; head = head.next; return v;}
n0 n1 n2 n3
3 7 4 2
head
T := op = pop ۸۸ head = nhead = n00 ۸۸ nn00.value = 3 .value = 3 ۸۸ nn00.next = n.next = n11T := op = pop ۸۸ head = nhead = n00 ۸۸ nn00.next = n.next = n11
OutlineOutline
Introduction to glass box model Introduction to glass box model checkingchecking
ChallengesChallenges Experimental resultsExperimental results Related workRelated work Future work and conclusionFuture work and conclusion
Performance: StackPerformance: Stack
Max Max SizeSize
BDD BDD NodesNodes
TransitionsTransitionsGlass Glass BoxBox
JPFJPF Black Black BoxBox
11 99 44 3333 9922 1414 55 141141 323233 1616 55 10331033 11511544 1818 55 1094910949 45045088 2626 55 -- 264420264420
1616 4242 55 -- --3232 7474 55 -- --6464 140140 55 -- --
128128 268268 55 -- --
Performance: StackPerformance: Stack
Max Max SizeSize
BDD BDD NodesNodes
Time (s)Time (s)Glass Glass BoxBox
JPFJPF Black Black BoxBox
11 99 0.0160.016 0.5330.533 0.0080.00822 1414 0.0160.016 0.6690.669 0.0090.00933 1616 0.0170.017 1.3491.349 0.0120.01244 1818 0.0170.017 7.2337.233 0.0300.03088 2626 0.0170.017 -- 2.2422.242
1616 4242 0.0180.018 -- --3232 7474 0.0180.018 -- --6464 140140 0.0200.020 -- --
128128 268268 0.0230.023 -- --
Performance: QueuePerformance: Queue
Max Max SizeSize
BDD BDD NodesNodes
TransitionsTransitionsGlass Glass BoxBox
JPFJPF Black Black BoxBox
11 1717 55 601601 272722 3636 77 8975689756 35635633 4646 88 -- 6610661044 6161 99 -- 17643017643088 114114 1313 -- --
1616 272272 2121 -- --3232 834834 3737 -- --6464 28732873 6969 -- --
128128 1229212292 133133 -- --
Performance: QueuePerformance: Queue
Max Max SizeSize
BDD BDD NodesNodes
Time (s)Time (s)Glass Glass BoxBox
JPFJPF Black Black BoxBox
11 1717 0.0190.019 1.1211.121 0.0110.01122 3636 0.0200.020 47.59847.598 0.0440.04433 4646 0.0200.020 -- 0.1610.16144 6161 0.0200.020 -- 2.1262.12688 114114 0.0220.022 -- --
1616 272272 0.0280.028 -- --3232 834834 0.0500.050 -- --6464 28732873 0.0860.086 -- --
128128 1229212292 0.1180.118 -- --
Performance: Red-Black TreePerformance: Red-Black Tree
Max Max HeightHeight
BDD BDD NodesNodes
TransitionsTransitionsGlass Glass BoxBox
JPFJPF Black Black BoxBox
11 2828 66 4949 121222 493493 2828 -- 93693633 38603860 108108 -- 18143371814337
0044 2440024400 366366 -- --55 128314128314 10941094 -- --66 781369781369 29682968 -- --77 626322626322
8875247524 -- --
Only 10 seconds to verify over 270 red-black trees!
Performance: Red-Black TreePerformance: Red-Black Tree
Max Max HeightHeight
BDD BDD NodesNodes
Time (s)Time (s)Glass Glass BoxBox
JPFJPF Black Black BoxBox
11 2828 0.0220.022 0.6170.617 0.0130.01322 493493 0.0280.028 -- 0.0840.08433 38603860 0.0660.066 -- 431.682431.68244 2440024400 0.1340.134 -- --55 128314128314 0.3400.340 -- --66 781369781369 1.5431.543 -- --77 626322626322
8810.34010.340 -- --
Only 10 seconds to verify over 270 red-black trees!
Performance: File SystemPerformance: File System
Max Max HeightHeight
BDD BDD NodesNodes
TransitionsTransitionsGlass Glass BoxBox
JPFJPF Black Black BoxBox
22 784784 6262 1290112901 57057033 17641764 135135 -- 148201482044 37283728 240240 -- 55290055290055 65316531 380380 -- --66 99849984 558558 -- --77 1346713467 777777 -- --88 2175521755 10401040 -- --99 3103131031 13501350 -- --
1010 4095440954 17101710 -- --
Performance: File SystemPerformance: File System
Max Max HeightHeight
BDD BDD NodesNodes
Time (s)Time (s)Glass Glass BoxBox
JPFJPF Black Black BoxBox
22 784784 0.0350.035 6.8836.883 0.0450.04533 17641764 0.0570.057 -- 0.2010.20144 37283728 0.0750.075 -- 6.2676.26755 65316531 0.0960.096 -- --66 99849984 0.1090.109 -- --77 1346713467 0.1250.125 -- --88 2175521755 0.1470.147 -- --99 3103131031 0.1670.167 -- --
1010 4095440954 0.2030.203 -- --
OutlineOutline
Introduction to glass box model Introduction to glass box model checkingchecking
ChallengesChallenges Experimental resultsExperimental results Related workRelated work Future work and conclusionFuture work and conclusion
Related WorkRelated Work
Software model checkersSoftware model checkers– Verisoft Verisoft [Godefroid][Godefroid]– Java PathFinder Java PathFinder [Visser et al][Visser et al]– CMC CMC [Musuvathi, Park, Chou, Engler, Dill][Musuvathi, Park, Chou, Engler, Dill]– Bandera Bandera [Corbett, Dwyer, Hatcliff, Robby, et [Corbett, Dwyer, Hatcliff, Robby, et
al]al]– Bogor Bogor [Dwyer, Hatcliff, Hoosier, Robby][Dwyer, Hatcliff, Hoosier, Robby]– SLAM SLAM [Ball, Majumdar, Millstein, Rajamani][Ball, Majumdar, Millstein, Rajamani]– Blast Blast [Henzinger, Jhala, Majumdar][Henzinger, Jhala, Majumdar]– Magic Magic [Chaki, Clarke, Groce, Jha, Veith][Chaki, Clarke, Groce, Jha, Veith]– XRT XRT [Grieskamp, Tillmann, Shulte][Grieskamp, Tillmann, Shulte]– JCAT JCAT [DeMartini, Iosif, Sisto][DeMartini, Iosif, Sisto]
Related WorkRelated Work
State space reduction techniquesState space reduction techniques– Abstraction & refinement Abstraction & refinement [SLAM; Blast; [SLAM; Blast;
Magic]Magic]– Partial order reduction Partial order reduction [Godefroid; [Godefroid;
Flanagan]Flanagan]– Heap canonicalization Heap canonicalization [Musuvathi, Dill; Iosif][Musuvathi, Dill; Iosif]– Symmetry reduction Symmetry reduction [Ip, Dill][Ip, Dill]
Related WorkRelated Work
Static analysis toolsStatic analysis tools– TVLA TVLA [Sagiv, Reps, Wilhelm][Sagiv, Reps, Wilhelm]– PALE PALE [Moeller, Schwartzbach][Moeller, Schwartzbach]
Formal verification using theorem proversFormal verification using theorem provers– ESC/Java ESC/Java [Nelson et al][Nelson et al]– ACL2 ACL2 [Kaufmann, Moore, et al][Kaufmann, Moore, et al]
OutlineOutline
Introduction to glass box model Introduction to glass box model checkingchecking
ChallengesChallenges Experimental resultsExperimental results Related workRelated work Future work and conclusionFuture work and conclusion
Future WorkFuture Work Data structures are Data structures are just the beginningjust the beginning
Applicable to any system where we can:Applicable to any system where we can:– Describe the state space using invariantsDescribe the state space using invariants– Transitions depend on a small part of the Transitions depend on a small part of the
statestate
Can significantly speedup model checkingCan significantly speedup model checking