1 / 31

Efficient Software Model Checking of Data Structure Properties

Efficient Software Model Checking of Data Structure Properties. Paul T. Darga Chandrasekhar Boyapati The University of Michigan. Software Model Checking. Exhaustively test code On all possible schedules On all possible inputs Within a bounded finite domain. Initial State. Transitions.

gcotton
Download Presentation

Efficient Software Model Checking of Data Structure Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan

  2. Software Model Checking • Exhaustively test code • On all possible schedules • On all possible inputs • Within a bounded finite domain

  3. Initial State Transitions Software Model Checking State Space Explosion!

  4. State Space Reduction • Many software model checkers • Verisoft, JPF, CMC, SLAM, Blast, Magic, … • Many state space reduction techniques • Partial order reduction • Predicate abstraction • Effective for control-oriented properties • Our work focuses on data-oriented properties

  5. Our Approach: Tree Example • Our system detects that it suffices to check: • Every operation on every tree path • Rather than every operation on every tree • Red-black tree: O(n3) paths, O(nn) trees • Significant speedup to model checking

  6. 0,0 1,0 0,1 0,2 2,0 1,1 0,3 3,0 1,2 2,1 4,0 0,4 3,1 1,3 2,2 Glass Box Model Checking dequeue front back enqueue 0,0 1,0 0,1 0,2 2,0 1,1 0,3 3,0 1,2 2,1 4,0 0,4 3,1 1,3 2,2 Traditional (black-box) model checker Glass Box model checker O(n2) transitions O(n) transitions O(n2) states O(n) states

  7. Outline • Introduction to glass box model checking • Challenges • Experimental results • Related work • Future work and conclusion

  8. Glass Box: Challenges • State space organization

  9. State Space Reachability State is disconnected, but we still need to check one of its transitions! • We cannot use reachability through transitions (black-box approach) • Programmers must provide a class invariant • State space: the set of all type-correct states within a specified bound which satisfy the invariant

  10. Singly-linked list: absence of cycles Invariants: Specification java.util.TreeMap 1670 lines of code 20 lines of invariant class LinkedList { static class Node { Node next; Object value; } Node head; boolean repOk() { Set visited = new java.util.HashSet(); for (Node n = head; n != null; n = n.next) { if (!visited.add(n)) returnfalse; } returntrue; } } class LinkedList { static class Node { treeNode next; Object value; } treeNode head; boolean repOk() { // writing invariants is easy and fun! returntrue; } }

  11. Glass Box: Search Algorithm I = states satisfying the invariant S = I × { transitions } while (S is not empty) { t = any transition in S run t verify the post-condition T = { transitions similar to t } S = S – T } How do we represent these sets, and perform operations on them, efficiently?

  12. Glass Box: Challenges • State space organization • Class invariants • State space representation • Binary decision diagrams

  13. Compact representation of exponentially large yet structured sets Perform set operations directly Binary Decision Diagrams  root is null  left is null right is null right is null   root is red root is red root is red   left is red left is red left is red    right is red right is red    

  14. BDDs: Red-Black Trees

  15. Glass Box: Challenges • State space organization • Class invariants • State space representation • Binary decision diagrams • State space reduction • Monitoring field access • Monitoring information flow • Pruning isomorphic structures • Ensuring soundness

  16. Monitoring Field Access Object pop() { if (head == null) returnnull; Object v = head.value; head = head.next; return v; } t := op = pop ۸ head = n0۸ n0.value = 3 ۸ n0.next = n1۸n1.value = 7 ۸n1.next = n2۸n2.value = 4 ۸n2.next = n3۸n3.value = 2 ۸n3.next = null 3 2 7 4 head n0 n1 n2 n3 T := op = pop ۸head = n0۸ n0.value = 3 ۸ n0.next = n1 T := op = pop ۸head = n0۸ n0.next = n1

  17. Outline • Introduction to glass box model checking • Challenges • Experimental results • Related work • Future work and conclusion

  18. Performance: Stack

  19. Performance: Stack

  20. Performance: Queue

  21. Performance: Queue

  22. Performance: Red-Black Tree Only 10 seconds to verify over 270 red-black trees!

  23. Performance: Red-Black Tree Only 10 seconds to verify over 270 red-black trees!

  24. Performance: File System

  25. Performance: File System

  26. Outline • Introduction to glass box model checking • Challenges • Experimental results • Related work • Future work and conclusion

  27. Related Work • Software model checkers • Verisoft [Godefroid] • Java PathFinder [Visser et al] • CMC [Musuvathi, Park, Chou, Engler, Dill] • Bandera [Corbett, Dwyer, Hatcliff, Robby, et al] • Bogor [Dwyer, Hatcliff, Hoosier, Robby] • SLAM [Ball, Majumdar, Millstein, Rajamani] • Blast [Henzinger, Jhala, Majumdar] • Magic [Chaki, Clarke, Groce, Jha, Veith] • XRT [Grieskamp, Tillmann, Shulte] • JCAT [DeMartini, Iosif, Sisto]

  28. Related Work • State space reduction techniques • Abstraction & refinement [SLAM; Blast; Magic] • Partial order reduction [Godefroid; Flanagan] • Heap canonicalization [Musuvathi, Dill; Iosif] • Symmetry reduction [Ip, Dill]

  29. Related Work • Static analysis tools • TVLA [Sagiv, Reps, Wilhelm] • PALE [Moeller, Schwartzbach] • Formal verification using theorem provers • ESC/Java [Nelson et al] • ACL2 [Kaufmann, Moore, et al]

  30. Outline • Introduction to glass box model checking • Challenges • Experimental results • Related work • Future work and conclusion

  31. Future Work • Data structures are just the beginning • Applicable to any system where we can: • Describe the state space using invariants • Transitions depend on a small part of the state • Can significantly speedup model checking

More Related