the bandera perspective
play

The Bandera Perspective This talk will focus on Bandera and Cadena - PDF document

Software Model-checking: The SAnToS/Bandera Perspective SAnToS Laboratory, Kansas State University, USA http://www.cis.ksu.edu/bandera Principal Investigators Postdocs and Students Radu I osif Robby Matt Dwyer Hongjun Zheng Venkatesh


  1. Software Model-checking: The SAnToS/Bandera Perspective SAnToS Laboratory, Kansas State University, USA http://www.cis.ksu.edu/bandera Principal Investigators Postdocs and Students Radu I osif Robby Matt Dwyer Hongjun Zheng Venkatesh Ranganath John Hatcliff Corina Pasareanu Oksana Tkachuk Georg Jung William Deng Support US National Science Foundation (NSF) Rockwell-Collins ATC US National Aeronautics and Space Agency (NASA) Honeywell Technology Center and NASA Langley US Department of Defense Sun Microsystems Advanced Research Projects Agency (DARPA) Intel US Army Research Office (ARO) The Bandera Perspective This talk will focus on Bandera and Cadena and will give the Bandera/SAnToS perspective on software model-checking For other perspectives see… � Java PathFinder – JPF (NASA Ames) � SLAM Project (Microsoft Research) � BLAST Project (U. Berkeley) � FeaVer Project (Lucent/Bell Labs) � Alloy (MIT) 1

  2. Goals of the Project I. Provide platform for construction of and experimentation with technologies for model-checking concurrent Java software … model-reduction techniques … model-checking engines e.g., abstraction, slicing, e.g., explicit -state, symbolic compiler-based optimizations … property specification languages e.g., temp logic, state machines II. Integration with commonly used design notations, methods, and processes … UML artifacts, CCM … integration with development e.g., checking, specification and certification of safety-critical systems. … automatic generation of synchronization code with dedicated checking III. Evaluation using safety-critical military and civilian applications as well as non-critical popular open-source software In This Talk… � Challenges in model-checking software and how Bandera addresses these (30 minutes) � Overview of Bandera tool architecture and functionality of primary components (40 minutes) � --- break --- � Specification Patterns (20 minutes) � Modeling Avionics Software (40 minutes) � Conclusions (10 minutes) 2

  3. Goals � Draw connections with earlier lectures and explain how various concepts and techniques are similar/different in software � Highlight hard open problems related to software model-checking � Share what I think are future trends in software model-checking and why we as a community have some reasons for being optimistic Model Checking OK Finite-state model or Error trace Model Checker (Φ Ω) Li ne 5: … Li ne 12: … Li ne 15: … Li ne 21: … Temporal logic formula Li ne 25: … Li ne 27: … … Li ne 41: … Li ne 47: … 3

  4. What makes model-checking software difficult? OK Finite-state model or Error trace (Φ Ω) Model Checker Li ne 5: … Li ne 12: … Temporal logic formula Li ne 15: … Li ne 21: … Problems using existing checkers: � State explosion � Model Construction � Property specification � Output interpretation Model Construction Problem voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; Gap r e t ur n buf f e r [ t a i l ] ; } Model Checker Program Model Description Semantic gap: Programming Languages methods, inheritance, dynamic creation, exceptions, etc. Model Description Languages automata 4

  5. Model Construction Problem � Due to state explosion, model-checking should not be applied to an entire code base, but rather to a unit � In OO software, boundaries between units are usually messy! references flow out of unit, � Unit and external components can change state of objects created in unit call-backs (in all GUI code) � tedious to identify � Code Base interaction points and define stubs/drivers What makes model-checking software difficult? OK Finite-state model or Error trace (Φ Ω) Model Checker Li ne 5: … Li ne 12: … Temporal logic formula Li ne 15: … Li ne 21: … Problems using existing checkers: � State explosion � Model Construction � Property specification � Output interpretation 5

  6. Property Specification Problem Difficult to formalize a requirement in temporal logic “Between the window open and the window close, button X can be pushed at most twice.” …is rendered in LTL as... [ ] ( ( ope n / \ <>c l os e ) - > ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ! pus hX U c l os e ) ) ) ) ) ) ) ) ) ) Property Specification Problem Forced to state property in terms of model rather than source We want to write source level specifications ... He a p. b. he a d == He a p. b. t a i l We are forced to write model level specifications... ( ( ( _c ol l e c t ( he ap_b) == 1) \ & & ( Bounde dBuf f e r _c ol . i ns t anc e [ _i nde x( he ap _b) ] . he ad == Bounde dBuf f e r_c ol . i ns t anc e [ _i nde x( he ap _b) ] . t ai l ) ) \ | | ( ( _c ol l e c t ( he ap _b) == 3) \ & & ( Bounde dBuf f e r _ c ol _0. i ns t anc e [ _i nde x( he ap _b) ] . he ad == Bounde dBuf f e r_ col _0. i ns t anc e [ _i nde x( he ap _b) ] . t ai l ) ) \ | | ( ( _c ol l e c t ( he ap _b) == 0) & & TRAP) ) 6

  7. Property Specification Problem Complications arise due to the dynamic nature of OO software Consider multiple instances of a bounded buffer class... I f a buf f e r i ns t a nc e be c om e s f ul l , Requirement: i t wi l l e ve nt ua l l y be c om e non - f ul l . In general, a heap object has no program-level name that persists throughout the lifetime of the object. Variables b1 b2 b3 Heap object What makes model-checking software difficult? OK Finite-state model or Error trace (Φ Ω) Model Checker Li ne 5: … Li ne 12: … Temporal logic formula Li ne 15: … Li ne 21: … Problems using existing checkers: � State explosion � Model Construction � Property specification � Output interpretation 7

  8. State Explosion Problem blah, blah, blah … � Moore’s law and algorithm advances can help � Holzmann: 7 days (1980) = = > 7 seconds (2000) � Explosive state growth in software limits scalability What makes model-checking software difficult? OK Finite-state model or Error trace (Φ Ω) Model Checker Li ne 5: … Li ne 12: … Temporal logic formula Li ne 15: … Li ne 21: … Problems using existing checkers: � State explosion � Model Construction � Property specification � Output interpretation 8

  9. Output Interpretation Problem Li ne 5: … voi d a dd( Obj e c t o) { Li ne 12: … buf f e r [ he a d] = o; Li ne 15: … he a d = ( he a d+1) % s i z e ; Li ne 21: … } Li ne 25: … Li ne 27: … Obj e c t t a ke ( ) { … Gap … Li ne 41: … t a i l =( t a i l +1) % s i z e ; Li ne 47: … r e t ur n buf f e r [ t a i l ] ; } Model Description Error trace Program Raw error trace may be 1000’s of steps long Must map line listing onto model description Mapping to source is made difficult by Semantic gap & clever encodings of complex features multiple optimizations and transformations Over-approximations in abstractions may yield infeasible error traces (how to decide if feasible or not?) Bandera: An open tool set for model-checking Java source code Graphical User Interface Optimization Control Checker Inputs Bandera Temporal Specification Model voi d a dd( Obj e c t o) { Checkers buf f e r [ he a d] = o; he a d = ( he a d+1) % s i z e ; } Transformation & Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; Abstraction Tools r e t ur n buf f e r [ t a i l ] ; } Checker Java Source Outputs Error Trace Mapping Bandera 9

  10. Addressing the Model Construction Problem voi d a dd( Obj e c t o) { buf f e r [ he a d] = o; Static Analyses he a d = ( he a d+1) % s i z e ; } Abstract I nterpretation Obj e c t t a ke ( ) { … t a i l =( t a i l +1) % s i z e ; Optimizations Slicing r e t ur n buf f e r [ t a i l ] ; } Java Source Model Compiler Model Description Model extraction: compiling to model checker inputs: � Numerous analyses, optimizations, two intermediate languages, multiple back-ends � Slicing, abstract interpretation, specialization � Variety of usage modes: simple...highly tuned Addressing the Model Construction Problem Bandera Environment Generation Tools � Identify classes in unit � Automatically finds points of interaction (where unit calls outside classes or is called itself) Unit Code Base 10

  11. Addressing the Model Construction Problem Bandera Environment Java encoding of Generation Tools state-machine � Identify classes in unit � Automatically finds points of interaction (where unit calls outside classes or is called itself) Driver � Cuts away non-unit classes Unit � Automatically generates Stubs driver (generates calls to unit based on regular expression or LTL formula) Closed Unit Code Base � Automatically generates stubs Addressing the Property Specification Problem An extensible language based on field-tested temporal property specification patterns [ ] ( ( ope n / \ <>c l os e ) - > ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ( ! pus hX / \ ! c l os e ) U ( c l os e \ / ( ( pus hX / \ ! c l os e ) U ( c l os e \ / ( ! pus hX U c l os e ) ) ) ) ) ) ) ) ) ) Using the pattern system : 2-bounded existence Between { open} and { close} { pushX} exists atMost { 2} times; 11

Recommend


More recommend