Title: Design for Verification for Concurrent and Distributed Programs
1Design for Verificationfor Concurrent and
DistributedPrograms
- PhD Defense
- Aysu Betin-Can
- September 23, 2005
2Design for Verification
- Objective
- Making the automated software verification
techniques scalable to large systems - Design for Verification (DFV)
- Design the software system in a way that
- embeds the intentions of developers into software
- makes software systems amenable to automated
verification
3Outline
- Design for Verification (DFV) approach
- DFV for concurrent programming
- Concurrency controller pattern
- Thread Isolation
- Case studies
- DFV for asynchronously communicating web services
- Peer controller pattern
- Hierarchical interfaces
- Experiments
- Summary of contributions
4DFV Approach
- Use of stateful behavioral interfaces
- Isolation of the behavior and support modular
verification - Domain specific verifiable design patterns
- An assume-guarantee style verification strategy
- Interface verification
- Behavior verification
- A general model checking technique for interface
verification - Domain specific and specialized verification
techniques for behavior verification
5System Architecture
Multithreaded and/or distributed program based
on a DFV pattern
Behavior spec
Automated Behavior Translator
Domain Specific Model Checker
Thread Isolation and Stub Substitution
Verified
Error trace
Controllers
Java PathFinder
Notification Optimizer
Isolated program
Interfaces
Counting Abstraction
Optimized concurrency controller
Synchronizability Analyzer
Rest of the program
BPEL and WSDL for web services
BPEL Generator
6Verifiable Design Patterns
- Concurrency Controller Pattern BCB04
- Goal Eliminating synchronization errors
- Verification
- Behavior using Action Language Verifier BYK01
- Specialization Counting abstraction
- Peer Controller Pattern BCBF05
- Goal Analyzing interaction properties and
assuring conformance of service implementations
to their specifications - Verification
- Behavior using SPIN Hol97
- Specialization Synchronizability analysis
FBS04 - Interface verification Java PathFinder
VHBP03 with stubs
7Verification Approach
- Assume-guarantee style verification based on
behavioral interfaces - Assuming interface correctness during behavior
verification - Guaranteeing the interface correctness
- Combination of strengths of different model
checking techniques - Specialized model checkers with their own
specification language - Model checkers targeted to a programming language
- Thread isolation and modular interface
verification
8DFV of Concurrent Programming
- Concurrency Controller Pattern
- Decoupling of concurrency behavior from user
threads - Application to real-life concurrent software
- Concurrent text editor Concurrent Editor
- Air traffic control software TSAFE
- Thread isolation
- Closing the environment of a thread
conservatively - Thread-modular interface verification
9Concurrent Editor
Server
ltltRMIgtgt
10Concurrent Editor
2800 lines of code with 17 Java classes and 4
concurrency controllers
11Tactical Separation Assisted Flight Environment
(TSAFE)
ltltTCP/IPgtgt
User
Server
Radar feed
Client
EventThread
ltltRMIgtgt
21,057 lines of code with 87 classes and 2
concurrency controllers
12Concurrency Controller Pattern
ThreadA
SharedInterface
ThreadB
int
used at runtime
used at interface verification
used all times
13Controller Interfaces
produce_acquire
release
consume_acquire
Bounded buffer with Mutex Controller Interface
Reader-Writer Controller Interface
acquire
b_enter
release
b_exit
Barrier Controller Interface
Mutex Controller Interface
14Modular Verification (1)
- Behavior verification
- Analyzing properties of the synchronization
policy encapsulated with a concurrency controller
and its interface - Assuming threads obey interfaces
- Behavior verification with Action Language
Verifier - Infinite state symbolic model checker
- Suitable for specifications with unbounded
variables and parameterized constants - Translation to Action Language BY01
- Counting abstraction Del00YKB02
- Behavior verification for arbitrary number of
threads
15Modular Verification (2)
- Interface verification
- Does the thread invoke controller method in the
order as defined with its interface? - Does the thread access shared data only at
correct interface state? - Interface verification with Java PathFinder
- Arbitrary Java implementations of threads
- Property specification as assertions
- Look for assertion violations
- Assertions are embedded in StateMachine
- Improvement with Thread Isolation and interface
usage
16Thread Isolation
- Modeling thread influence on its environment with
stubs - File I/O, updating GUI components, socket
operations, RMI call to another program - Replace with pre-written or generated stubs
- Modeling environment influence on threads with
drivers - Thread initialization, RMI events, GUI events
- Enclose with drivers that generate all possible
events that influence controller access
17Thread Isolation
- Modeling thread-thread interactions with
interfaces - Concurrency controller action, shared data method
invocation - Replace concurrency controller with controller
interface state machines - Replace shared data with shared stubs
- Modeling asynchronous messaging with peer
interfaces - Communication controller, message classes
- Replace communication controller with peer
interface state machines - Replace messages with message stubs
18Interface Verification Performance
19Behavior Verification Performance
Concurrency controllers used in the
implementation of the Concurrent Editor and TSAFE
20Experiment on TSAFE
- Experimental study on TSAFE with fault seeding
- Concurrency controller faults
- initialization faults, guard faults, update
faults, blocking/nonblocking faults - Interface faults
- modified-call faults, conditional-call faults,
program variable faults, new-variable faults
21Falsification Performance
22DFV for Asynchronously Communicating Web Services
- Peer Controller Pattern
- Decoupling of application logic from
communication details - Application to several web service
implementations - Loan Approval, BookCD Order, Travel Agency,
Purchase Order Handling - Adapting synchronizability analysis FBS04
- Extension to hierarchical interfaces
23Asynchronously Communicating Web Services
- Web services
- Web accessible software that can be described,
published, located, and invoked over the Internet
standard technologies - Composite web services
- Loosely coupled interacting services through
standard interfaces - Opportunity for modular analysis
- Supporting asynchronous communication
- Undecidability in analysis FBS04
- Standard data transmission via XML
24Loan Approval System
Messages request, approval,
risk check, nocheck
25Loan Approval System
Messages request(amount), approval(accept),
risk(level) check(amount), nocheck()
26Peer Controller Pattern
ApplicationThread
used at runtime
used at interface verification
used all times
27Interfaces of Loan Approval
LoanApprover
CustomerRelations
Sample Conversation request(amountlarge),check(a
mountlarge), risk(levelhigh),
approval(acceptfalse)
RiskAssessor
28Modular Verification (1)
- Interface verification
- Does each peer interact with others as specified?
- Interface verification with Java PathFinder
- Assertions embedded in StateMachine
- Abstracting asynchronous messaging by using peer
interfaces as stubs - Peer-modular interface verification
- Further reduction of state space with message
stubs
29Modular Verification (2)
- Behavior Verification
- Analyzing global interaction properties
- Modeling global behavior and properties as
conversations Fu04 - Conversation The sequence of messages exchanged
among peers, recorded in the order they are sent - Sample Property Whenever a request with a small
amount is sent, eventually an approval message
accepting the loan request will be sent. - Behavior verification with SPIN
- Translation to specification language of SPIN
Hol97 - Peer interfaces are already a model of the system
- Finite state model checker
- Need to bind the message queue sizes
30BookCD Service
- SPIN runs out of memory for queue size 15!!!
- Reachable state space is infinite
- Absence of error for queue size 15 does not
ensure freedom of bugs! - Not only unbounded queues, but also efficiency
- Solution Adapting synchronizability analysis
31Synchronizability
- Model checking a composite web service that
communicates asynchronously with unbounded queues
is undecidable FBS03 - Automated Synchronizability analysis
- A composite web service is synchronizable, if it
generates the same conversation set both under
asynchronous and synchronous communication
FBS04 - Promela with synchronous communication semantics
- No message buffering
- Reduced state space hence improved efficiency
- Enables unbounded behavior verification
32Hierarchical Peer Interfaces
- A hierarchical state machine (HSM) model as
behavioral interfaces of peers - Finite state machine whose states can be
composite or atomic states - Advantages over flat finite state machines
- compact representation
- natural hierarchy of the service behavior
- exponentially less number of states and
transitions - specification of concurrent executions of
operations
33HSM Class Diagram
HSM
sendTransition() receiveTransition()
And
Or
substatesState defaultStateState
substatesState
SendTransition
guardExpGuardedUpdate
34Example Travel Agency
HotelReserve
Customer
reqHotel
travelInv
TravelAgent
carInv
flightInv
FlightReserve
CarReserve
date place process transResv transNoResv
reqFlight
reqCar
hotelInv
35HSM for TravelAgent Peer
?process
?transResv
!reqFlight
!reqCar
!travelInv
!reqFlight
?carInv
?flightInv
?transNoResv
36Interface Verification Performance
Book-CD Order Service
Loan Approval Service
Travel Agency Service
Purchase Order Handling Service
37Behavior Verification Performance
38BPEL Generation
- A benefit of explicit peer interfaces
- Automated generation
- Both from flat peer interfaces and HSMs
- Mappings of send and receive transitions to BPEL
activity blocks - Hierarchy with scopes and flows
- Main activity block is
- a state machine
39Summary of Contributions
- A DFV approach for concurrent programs and for
asynchronously communicating web services - Concurrency controller pattern
- Peer controller pattern
- An assume-guarantee style verification strategy
- Combining different model checking techniques
- Thread and peer isolation
- Experiments on 2 real-life concurrent systems
- Experiments on several composite web services
- Hierarchical interfaces
- Compact representation of the natural hierarchy
- Extended synchronizability analysis
40Related Work
- Design for Verification
- MP03, Mehlitz et al. promote using design
patterns and exploiting their properties - Sharygina et al. SBK01 focus on verification of
UML models - Used in Circuit Design and Embedded Systems
SF03, GSB02, SBBCM01 - Assume-guarantee style verification
- PDH99, CCGJV
41Related Work
- Design Patterns for multi-threaded systems
- SSRB00, Lea99, Gra02,SPM96
- Verification and synthesizing monitors
- DDHM02, YKB02, MK99
- Environment extraction/generation
- PDH99,TD03, TDP03, extracts a model of the
classes that influences a software unit
42Related Work
- Model checking Web Services
- FBS04, Fu et al. use SPIN for composition check
- Global conversation
- FUMK03 , Foster et al.
- Composition behavior is specified with message
sequence charts - Behavioral Contracts of Peers
- too little, e.g. WSDL, or too powerful, e.g. BPEL
- State Machines Fu04
- Conformance check
- RR02, Rajamani et al. use SPIN for conformance
check - between specification model and a model extracted
from implementation
43Related Work
- Behavioral and stateful interfaces
- Interface compatibility checking CAHJM02
- Extended type systems with stateful interfaces
and interface checking as a part of type checking
DF01,DF04 - Interface discovery and synthesis by analyzing
existing code WML02,ACMN05
44Thank You
45Extra slides
46Synchronizability Conditions FBS04
- Autonomous Condition
- At any state a peer has exactly one of three
choices send, receive or terminate - Synchronous compatibility
- When one peer is ready to send a message, there
should be another peer which is ready to receive
that message - Automated synchronizability analyzer
- Exploiting explicit peer interface implementations
47Synchronizability Analyzer
- Analyzer checks the conditions on HSMs without
flattening - Autonomy check algorithm
- Transitions originating from a composite state
have to be either all sends or all receives - There are no configurations that follows a final
configuration - All transitions originating from a state are
either send or receive transitions - Synchronous compatibility
- Looking for violating configurations directly on
HSMs by using next configuration computation
48Reader-Writer Controller
- public void w_enter() act_w_enter.blocking()
- public boolean w_exit()
- return act_w_exit.nonblocking()
- public void r_enter() act_r_enter.blocking()
- public boolean r_exit()
- return act_r_exit.nonblocking()
- class RWController implements RWInterface
- int nR boolean busy
- final Action act_r_enter, act_r_exit
- final Action act_w_enter, act_w_exit
- RWController() ...
- gcs new Vector()
- gcs.add(new GuardedCommand()
- public boolean guard()
- return (nR 0 !busy )
- public void update()
- busy true )
- act_w_enter new Action(this,gcs)
- ..//other actions
-
49Action Class
- class Action
- protected final Object owner
- private boolean GuardedExecute()
- boolean resultfalse
- for(int i0 iltgcV.size() i)
- try
- if(((GuardedCommand)gcV.get(i)).guard())
- ((GuardedCommand)gcV.get(i)).update()
- resulttrue break
- catch(Exception e)
- return result
-
- public void blocking()
- synchronized(owner)
- while(!GuardedExecute())
- tryowner.wait()catch (Exception e)
- owner.notifyAll()
-
- public boolean nonblocking()
- synchronized(owner)
- boolean resultGuardedExecute()
- if (result) owner.notifyAll()
- return result
-
50Reader-Writer Controller
- module main()
- integer nR boolean busy
- module RWController()
- enumerated pc IDLE , READING, WRITING
- initial nR 0 and busy false
- initial pcIDLE
- r_enter_0 pcIDLE and ( ! busy ) and
nR' nR 1 and pc'READING - r_exit_0 pcREADING and true and nR'
nR - 1 and pc'IDLE - r_exit_1 pcREADING and !( ( true)) and
pc' IDLE - w_enter_0 pcIDLE and ( nR 0 and !
busy ) and busy' true - and pc'WRITING
- w_exit_0 pcWRITING and true and busy'
false and pc'IDLE - w_exit_1 pcWRITING and !( ( true)) and
pc' IDLE - RWControllerw_enter_0 w_exit_0 w_exit_1
r_enter_0 r_exit_0 r_exit_1 - endmodule
- main RWController() RWController()
RWController() RWController() - endmodule
51Abstract Reader-Writer
- module main()
- integer nR boolean busy
- parameterized integer numInstance
- module RWController()
- integer IDLE , READING, WRITING
- initial nR 0 and busy false
- initialIDLEnumInstance and READING 0
and WRITING 0 - restrict IDLE READING
WRITINGnumInstance and numInstancegt0 - r_enter_0IDLEgt0 and ( ! busy ) and nR'
nR 1 - and READING'READING1
and IDLE' IDLE-1 - r_exit_0READINGgt0 and true and nR'
nR - 1 and IDLE'IDLE1 - and READING' READING-1
- r_exit_1 READINGgt0 and !( ( true)) and
IDLE' IDLE1 - and READING' READING-1
- .//other actions
- RWControllerw_enter_0 w_exit_0 w_exit_1
r_enter_0 r_exit_0 r_exit_1 - endmodule
- main RWController()
- endmodule
52Concurrency Controller Interface
- public class RWStateMachine implements
RWInterface - StateMachine sm
- final static int IDLE0, READING1, WRITING2
- public RWStateMachine() ...
- sm.insert(
- "w_enter",IDLE, WRITING)
- .//other transitions
-
- public void w_enter()
- sm.transition("w_enter")
-
- ...
-
r_enter
READING
r_exit
IDLE
w_exit
WRITING
w_enter
53Communication Servlet Example
- public class ApproverServlet extends PeerServlet
implements AppServlet - private Endpoint customernew Endpoint("urnCusto
merRelations") - private Endpoint mypointnew Endpoint("urnLoanAp
prover") - .....
- public Object approved(int sessionId, int peer,
Object args) - SOAPMessage msgsuper.wrap(sessionId,MSG_approv
ed,peer,args) - super.send(msg,customer,mypoint)
- return null
-
- public Object receive(int sessionId)
- return approver.getMessage(sessionId)
-
- public void onMessage(SOAPMessage message)
- MessageFields fieldsunwrap(message)
- approver.putMessage(fields)
-
54CommunicatorStub Example
- public class CommunicatorStub implements
LoanApprover - private StateMachine sm
- private ApprovalMessage aproval
- private RequestMessage request
-
- public CommunicatorStub()
- smnew StateMachine(..)
-
- GuardedUpdate gcnew GuardedUpdate()
- public boolean guard()
- return last_risk.level()Low
- public boolean update()
- return approval.accepttrue
- SendTransition trans new SendTransition(appro
val,3,5,gc) - sm.addTransition(trans)
- ReceiveTransition rtrans new
ReceiveTransition (request,0,1) - sm.addTransition(rtrans)
-
55Promela for Loan Approval
- do
- state0 -gtif
- approverQ?requestType,msg-gt
- approverQ?requestType,msg
- requestmsg.amountmsg.requestmsg.amount
- /update/
- state1
- fi
- state3 -gt if
- riskmsg.levellow -gt /guardV/
- approvalmsg.accepttrue/guardP/
- msg.approvalmsg.acceptapprovalmsg.accept
- atomic
- lastmsg.approvalmsg.accept
- approvamsg.accept/update
/ - customerQ!approvalType,msg
- state5
- riskmsg.levelhigh -gt /guardV/
- approvalmsg.acceptfalse/guardP/
- define size 5
- mtype requestType, approvalType,
- nocheckType, checkType, riskType
- /data domains/
- mtype undef1,small,large//amount
- mtype undef2,low,high//level
- /message types/
- typedef approval bool accept
- typedef request mtype amount
- typedef risk mtype level
- ....
- message lastmsg
- /channels/
- chan customerQsize of mtype, message
- chan approverQsize of mtype, message
- chan assessorQsize of mtype, message
- proctype CustomerRelations()...
56HSM for TravelAgent Peer
?process
?transResv
!reqFlight
!travelInv
!reqCar
!reqFlight
?carInv
?flightInv
?transNoResv
?msg
57HSM for TravelAgent Peer
?process
?transResv
!reqFlight
!reqCar
!travelInv
!reqFlight
?carInv
?flightInv
?transNoResv
!msg
58Transition Mappings
- ltsequencegt
- ltreceive partnerLink"RiskAssessor"
portType"ns2ApproverPT" - operation"ns2risk" variable"risk"gt
- lt/receivegt
- ltassigngtltcopygt
- ltfrom expression"'3'"/gt
- ltto variable"state"/gt
- lt/copygtlt/assigngt
- lt/sequencegt
59Transition Mappings
- ltcase condition"getVariableData('risk',
'level')'low'"gt - ltsequencegt
- ltassigngtltcopygt
- ltfrom expression"'true'"/gt
- ltto variable"approval" part"accept"/gt
- lt/copygtlt/assigngt
- ltinvoke partnerLink"CustomerRelations"
- portType"ns1CustomerPT"
- operation"ns1approval"
- inputVariable"approval"gt
- lt/invokegt
- ltassigngt ltcopygt
- ltfrom expression"'5'"/gt ltto
variable"state"/gt - lt/copygt lt/assigngt
- lt/sequencegt
- lt/casegt