Tools for Automated Verification of Concurrent Software

1
Tools for Automated Verification of Concurrent
Software

• Tevfik Bultan
• Department of Computer Science
• University of California, Santa Barbara
• bultan_at_cs.ucsb.edu
• http//www.cs.ucsb.edu/bultan/
• http//www.cs.ucsb.edu/bultan/composite/

2
Summary

• Goal Reliable concurrent programming
• Sub-goals
• Developing reliable concurrency controllers in
  Java
• Developing reliable concurrent linked lists
• Approach Model Checking
• Refined Approach Composite Model Checking
• Specification Language Action Language
• Tools
• Composite Symbolic Library
• Action Language Verifier

3
Students

• Joint work with my students
• Tuba Yavuz-Kahveci
• Constantinos Bartzis
• Xiang Fu (co-advised with Jianwen Su)
• Aysu Betin-Can

4
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

5
Difficulties in Concurrent Programming

• Concurrent programming is difficult and error
  prone
• In sequential programming you only worry about
  the states of the variables
• In concurrent programming you also have to worry
  about the states of the threads
• State space increases exponentially with the
  number of threads

6
Concurrent Programming in Java

• Java uses a variant of monitor programming
• Synchronization using locks
• Each object has a lock
• synchronized(o) ...
• Coordination using condition variables
• Objects can be used as condition variables
• synchronized (condVar)
• while (!condExp) wait(condVar)
• ...
• notifyAll(condVar)

7
Dangers in Java Concurrency

• Nested locks

Thread1
Thread2
synchronized m(other) other.m()
Thread1 run() o1.m(o2) Thread2 run()
o2.m(o1)
o2
o1
lock
lock
8
Dangers in Java Concurrency

• Missed notification
• notify(condVar)
• Forgotten condition check
• if(!condExp) wait(condVar)
• Dependency among multiple condition variables can
  be complicated
• Conservative notification and condition check
• Inefficient
• Optimizing the notification and condition checks
• Error prone

9
Example Airport Ground Traffic Control Simulation
A simplified model of Seattle Tacoma
International Airport from Zhong 97
10
Control Logic

• An airplane can land using 16R only if no
  airplane is using 16R at the moment
• An airplane can takeoff using 16L only if no
  airplane is using 16L at the moment
• An airplane taxiing on one of the exits C3-C8 can
  cross runway 16L only if no airplane is taking
  off at the moment
• An airplane can start using 16L for taking off
  only if none of the crossing exits C3-C8 is
  occupied at the moment (arriving airplanes have
  higher priority)
• Only one airplane can use a taxiway at a time

11
Java Implementation

• Simulate behavior of each airplane with a thread
• Use a monitor (a Java class)
• private variables for number of airplanes on each
  runway and each taxiway
• methods of the monitor enforce the control logic
• Each thread calls the methods of the monitor
  based on the airport layout to move from one
  point to the next

12
Example Implementation

• public synchronized void C8_To_B11A()
• while (!((numRW16L 0) (numB11A 0)))
• wait()
• numC8 numC8 - 1
• numB11A numB11A 1
• notifyAll()
• This code is not efficient since every thread
  wakes up every other thread
• Using separate condition variables complicates
  the synchronization
• nested locks

13
Difficulties In Implementing Concurrent Linked
Lists

• Linked list manipulation is difficult and error
  prone
• State of the heap unbounded
• State space
• Sequential programming
• states of the variables
• Concurrent programming
• states of the variables
• states of the threads
• Concurrent linked lists
• states of the variables
• states of the threads
• state of the heap

14
Examples
next

• singly linked lists
• doubly linked lists
• stack
• queue
• single lock
• double lock
• allows concurrent inserts and deletes

n1
n2
next
next
next
prev
n1
n2
prev
next
n1
n2
top
next
last
n1
n2
first
next
next
15
Outline of Our Approach

• Specify concurrency controllers and concurrent
  linked lists in Action Language
• Verify their properties using composite model
  checking
• Generate Java classes from the specifications
  which preserve their properties

16
Action Language Tool Set
Action Language Specification
Action Language Parser
Composite Symbolic Library
Code Generator
Omega Library
CUDD Package
MONA
Presburger Arithmetic Manipulator
BDD Manipulator
Automata Manipulator
Verified code (Java monitor classes)
17
Outline

• Difficulties in concurrent programming
• A short history of model checking in 7 slides
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

18
Idea 1 Temporal Logics for Reactive Systems
Pnueli FOCS 77, TCS 81

• Transformational systems
• get input
• compute something
• return result
• Reactive systems
• while (true)
• receive some input,
• send some output
• For reactive systems
• termination is not relevant
• pre and post-conditions are not enough

• Temporal Logics
• Invariant p (G p, AG p, p)
• Eventually p (F p, AF p, p)
• Next p (X p, AX p, p)
• p Until q ( p U q, A(p U q) )

p
p
Branching vs. Linear Time
p
LTL
CTL
AF(p), EG(p)
F(p)
G(p)
p
p
p
p
p
p
p
p
. . .
. . .
. . .
. . .
. . .
19
Idea 2 Automated Verification of Finite State
Systems Clarke and Emerson 81, Queille and
Sifakis 82

• Transition Systems
• S Set of states (finite)
• I ? S Set of initial states
• R ? S ? S Transition relation
• Model checking problem Given a temporal logic
  property, does the transition system satisfy the
  property?
• Complexity linear in the size of the transition
  system

• Verification vs. Falsification
• Verification
• show initial states ? truth set of p
• Falsification
• find a state ? initial states ? truth set of ?p
• generate a counter-example starting from that
  state

20
Idea 3 Temporal Properties ? Fixpoints Emerson
and Clarke 80
EF(?p) ? states that can reach ?p ? ?p ?
Pre(?p) ? Pre(Pre(?p)) ? ...


Initial states

?p
EF(?p)

initial states that satisfy EF(?p) ? initial
states that violate AG(p)
EG(?p) ? states that can avoid reaching p ? ?p ?
Pre(?p) ? Pre(Pre(?p)) ? ...

Initial states

EG(?p)
initial states that satisfy EG(?p) ? initial
states that violate AF(p)
21
Idea 4 Symbolic Model CheckingMcMillan et al.
LICS 90

• Represent sets of states and the transition
  relation as Boolean logic formulas
• Fixpoint computation becomes formula manipulation
• pre and post-condition computations Existential
  variable elimination
• conjunction (intersection), disjunction (union)
  and negation (set difference), and equivalence
  check
• Use an efficient data structure
• Binary Decision Diagrams (BDDs)

22
Tool 1 SMV McMillan 93

• BDD-based symbolic model checker
• Finite state
• Temporal logic CTL
• Focus hardware verification
• Later applied to software specifications,
  protocols, etc.
• SMV has its own input specification language
• concurrency synchronous, asynchronous
• shared variables
• boolean and enumerated variables
• bounded integer variables (binary encoding)
• SMV is not efficient for integers, can be fixed

23
Idea 5 LTL Properties ? Büchi automata Vardi
and Wolper LICS 86

• Büchi automata Finite state automata that accept
  infinite strings
• A Büchi automaton accepts a string when the
  corresponding run visits an accepting state
  infinitely often
• The size of the property automaton can be
  exponential in the size of the LTL formula

true
p
?p
G p
true
p
?p
F p
true
p
G (F p)
true
24
Tool 2 SPIN Holzmann 91, TSE 97

• Explicit state, finite state
• Temporal logic LTL
• Input language PROMELA
• Asynchronous processes
• Shared variables
• Message passing through (bounded) communication
  channels
• Variables boolean, char, integer (bounded),
  arrays (fixed size)

• Property automaton from the negated LTL property
• Product of the property automaton and the
  transition system (on-the-fly)
• Show that there is no accepting cycle in the
  product automaton
• Nested depth first search to look for accepting
  cycles
• If there is a cycle, it corresponds to a
  counterexample behavior that demonstrates the bug

25
Model Checking Research

• These 5 key ideas and 2 key tools inspired a lot
  of research Clarke, Grumberg and Peled, 99
• efficient symbolic representations
• partial order reductions
• abstraction
• compositional/modular verification
• model checking infinite state systems (pushdown
  automata)
• model checking real time systems
• model checking hybrid systems
• model checking programs
• ...

26
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

27
Action Language Bultan, ICSE 00, Bultan,
Yavuz-Kahveci, ASE 01

• A state based language
• Actions correspond to state changes
• States correspond to valuations of variables
• boolean
• enumerated
• integer (possibly unbounded)
• heap variables (i.e., pointers)
• Parameterized constants
• specifications are verified for every possible
  value of the constant

28
Action Language

• Transition relation is defined using actions
• Atomic actions Predicates on current and next
  state variables
• Action composition
• asynchronous () or synchronous ()
• Modular
• Modules can have submodules
• A modules is defined as asynchronous and/or
  synchronous compositions of its actions and
  submodules

29
Readers Writers Example
S Cartesian product of variable domains
defines the set of states

• module main()
• integer nr
• boolean busy
• restrict nrgt0
• initial nr0 and !busy
• module Reader()
• boolean reading
• initial !reading
• rEnter !reading and !busy and
• nrnr1 and reading
• rExit reading and !reading and nrnr-1
• Reader rEnter rExit
• endmodule
• module Writer()
• ...
• endmodule

I Predicates defining the initial states
R Atomic actions of the Reader
R Transition relation of Reader defined as
asynchronous composition of its atomic actions
R Transition relation of main defined as
asynchronous composition of two Reader and two
Writer processes
30
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

31
Which Symbolic Representation to Use?

• BDDs
• canonical and efficient representation for
  Boolean logic formulas
• can only encode finite sets

• Linear Arithmetic Constraints
• can encode infinite sets
• two representations
• polyhedral representation
• automata representation
• not efficient for encoding boolean domains

x ? y ? (T,T), (T,F), (F,T)
x
F
a gt 0 ? b a1

T
y
? (1,2), (2,3), (3,4),...
F
T
F
T
32
Composite Model CheckingBultan, Gerber, League
ISSTA 98, TOSEM 00

• Map each variable type to a symbolic
  representation
• Map boolean and enumerated types to BDD
  representation
• Map integer type to a linear arithmetic
  constraint representation
• Use a disjunctive representation to combine
  different symbolic representations composite
  representation
• Each disjunct is a conjunction of formulas
  represented by different symbolic representations
• we call each disjunct a composite atom

33
Composite Representation
composite atom
symbolic rep. 1
symbolic rep. 2
symbolic rep. t
Example x integer, y boolean xgt0 and x?x-1
and y or xlt0 and x?x and y?y
arithmetic constraint representation
arithmetic constraint representation
BDD
BDD
34
Composite Symbolic Library Yavuz-Kahveci,
Tuncer, Bultan TACAS01, Yavuz-Kahveci, Bultan
STTT

• Uses a common interface for each symbolic
  representation
• Easy to extend with new symbolic representations
• Enables polymorphic verification
• Multiple symbolic representations
• As a BDD library we use Colorado University
  Decision Diagram Package (CUDD) Somenzi et al
• As an integer constraint manipulator we use Omega
  Library Pugh et al

35
Composite Symbolic Library Class Diagram
Symbolic

• intersect()
• union()
• complement()
• isSatisfiable()
• isSubset()
• pre()
• post()

CUDD Library
OMEGA Library
36
Composite Symbolic Representation
x integer, yboolean xgt0 and x?x-1 and y or
xlt0 and x?x and y?y
CompSym
representation ListltcompAtomgt
ListNodeltcompAtomgt
ListNodeltcompAtomgt
data compAtom
data compAtom
b
0
y
0
yy
1
xgt0 and xx-1
1
xlt0 and xx
next ListNodeltcompAtomgt
next ListNodeltcompAtomgt
37
Pre and Post-condition Computation

• Variables
• x integer, y boolean
• Transition relation
• R xgt0 and x?x-1 and y or xlt0 and x?x and
  y?y
• Set of states
• s x2 and !y or x0 and !y
• Compute post(s,R)

38
Pre and Post-condition Distribute

• R xgt0 and x?x-1 and y or xlt0 and x?x and
  y?y
• s x2 and !y or x0 and y
• post(s,R) post(x2 , xgt0 and x?x-1) ? post(!y
  , y)
• x1 y
• post(x2 , xlt0 and x?x) ? post (!y , y?y)
• false
  !y
• post(x0 , xgt0 and x?x-1) ? post(y , y)
• false
  y
• post (x0 , xlt0 and x?x) ? post (y, y?y )
• x0
  y
• x1 and y or x0 and y

39
Polymorphic Verifier

• Symbolic TranSyscheck(Node f)
• Symbolic s check(f.left)
• case EX
• s.pre(transRelation)
• case EF
• do
• sold s
• s.pre(transRelation)
• s.union(sold)
• while not sold.isEqual(s)

? Action Language Verifier is polymorphic ? It
becomes a BDD based model checker when there or
no integer variables
40
Heuristics for Composite RepresentationYavuz-Kah
veci, Bultan FroCos 02

• Masking
• compute operations on BDDs first
• avoid redundant computations on integer part
• Incremental subset check
• Exploit the disjunctive structure by computing
  subset checks incrementally
• Interleaving pre-condition computation with the
  subset check in least-fixpoint computations
• Simplification
• Reduce the number of disjuncts in the composite
  representation by iteratively merging matching
  disjuncts

41
Some Experiments
Without the simplification for 15 out of 39
problem instances the verifier ran out of memory
42
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

43
Application to Concurrency ControllersYavuz-Kahv
eci, Bultan ISTTA 02 Betin-Can, Bultan SoftMC
03

• Outline of our approach
• Specify concurrency controllers and concurrent
  linked lists in Action Language
• Verify their properties using composite model
  checking
• Generate Java classes from the specifications
  which preserve their properties

44
Readers-Writers Controller

• module main()
• integer nr
• boolean busy
• restrict nrgt0
• initial nr0 and !busy
• module Reader()
• boolean reading
• initial !reading
• rEnter !reading and !busy and
• nrnr1 and reading
• rExit reading and !reading and nrnr-1
• Reader rEnter rExit
• endmodule
• module Writer()
• boolean writing
• initial !writing
• wEnter !writing and nr0 and !busy and
• busy and writing
• wExit writing and !writing and !busy

45
Arbitrary Number of Threads

• Counting abstraction
• Create an integer variable for each local state
  of a thread
• Each variable will count the number of threads in
  a particular state
• Local states of the threads have to be finite
• Specify only the thread behavior that relates to
  the correctness of the controller
• Shared variables of the controller can be
  unbounded
• Counting abstraction can be automated

46
Readers-Writers After Counting Abstraction
Parameterized constants introduced by the
counting abstractions

• module main()
• integer nr
• boolean busy
• parameterized integer numReader, numWriter
• restrict nrgt0 and numReadergt0 and
  numWritergt0
• initial nr0 and !busy
• module Reader()
• integer readingF, readingT
• initial readingFnumReader and readingT0
• rEnter readingFgt0 and !busy and
• nrnr1 and readingFreadingF-1 and
• readingTreadingT1
• rExit readingTgt0 and nrnr-1
  readingTreadingT-1 and
  readingFreadingF1
• Reader rEnter rExit
• endmodule
• module Writer()
• ...
• endmodule
• main Reader() Writer()

Variables introduced by the counting abstractions
47
Verification of Readers-Writers Controller
SUN ULTRA 10 (768 Mbyte main memory)
48
What about the Java Implementation?

• We can automatically generate code from the
  controller specification
• Generate a Java class
• Make shared variables private variables
• Use synchronization to restrict access
• Is the generated code efficient?
• Yes!
• We can synthesize the condition variables
  automatically
• There is no unnecessary thread notification

49
Specific Notification PatternCargill 96

• public class ReadersWriters
• private int nr
• private boolean busy
• private Object rEnterCond, wEnterCond
• private synchronized boolean Guard_rEnter()
• if (!busy)
• nr
• return true
• else return false
• public void rEnter()
• synchronized(rEnterCond)
• while(!Guard_rEnter())
• rEnterCond.wait()
• public void rExit()
• synchronized(this) nr--
• synchronized(wEnterCond) wEnterCond.notify()
  

All condition variables and wait and signal
operations are generated automatically
rEnter !reading and !busy and nrnr1 and
reading
50
Example Airport Ground Traffic Control
A simplified model of Seattle Tacoma
International Airport from Zhong 97
51
Action Language Specification
module main() integer numRW16R, numRW16L,
numC3, ... initial numRW16R0 and numRW16L0
and ... module Airplane() enumerated pc
arFlow, touchDown, parked, depFlow,
taxiTo16LC3, ..., taxiFr16LB2, ..., takeoff
initial pcarFlow or pcparked reqLand
pcarFlow and numRW16R0 and pctouchDown
and numRW16RnumRW16R1 exitRW3
pc touchDown and numC30 and
numC3numC31 and numRW16RnumRW16R-1 and
pctaxiTo16LC3 ...
Airplane reqLand exitRW3 ... endmodule
main AirPlane() Airplane() Airplane()
.... spec AG(numRW16R?1 and numRW16L ?1)
spec AG(numC3 ?1) spec AG((numRW16L0 and
numC3numC4...numC8gt0) gt
AX(numRW16L0)) endmodule
52
Airport Ground Traffic Control

• Action Language specification
• Has 13 integer variables
• Has 6 Boolean variables per airplane process to
  keep the local state of each airplane
• 20 actions
• Automatically generated Java monitor class
• Has 13 integer variables
• Has 14 condition variables
• Has 34 methods

53
Experiments
A Arriving Airplane D Departing Airplane P
Arbitrary number of threads
54
Efficient Java Implementation

• public class airport
• private int numRW16R
• private int numRW16L
• private int numC3
• ....
• private Object CondreqLand
• private Object CondexitRW3
• ...
• public airport()
• numRW16R 0
• numRW16L 0
• ...
• private synchronized boolean Guarded_reqLand()
• if(numRW16R 0)
• numRW16R numRW16R 1
• return true
• else return false

public void reqLand() synchronized(CondreqLand)
while (! Guarded_reqLand()) try
CondreqLand.wait()
catch(InterruptedException e)
55
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

56
Heap TypeYavuz-Kahveci, Bultan SAS 02

• Heap type in Action Language
• heap next top
• Heap type represents dynamically allocated
  storage
• topnew
• We need to add a symbolic representation for the
  heap type to the Composite Symbolic Library

numItems gt 2 gt top.next ! null
57
Concurrent Stack

• module main()
• heap next top, add, get, newTop boolean
  mutex integer numItems
• initial topnull and mutex and numItems0
• module push()
• enumerated pc l1, l2, l3, l4
• initial pcl1 and addnull
• push1 pcl1 and mutex and !mutex and
  addnew and pcl2
• push2 pcl2 and numItems0 and topadd and
  numItems1 and pcl3
• push3 pcl3 and top.next null and mutex
  and pcl1
• push4 pcl2 and numItems!0 and
  add.nexttop and pcl4
• push5 pcl4 and topadd and
  numItemsnumItems1 and
• mutex and pcl1
• push push1 push2 push3 push4 push5
• endmodule
• module pop()
• ...
• endmodule
• main pop() pop() push() push()
• specAG(mutex gt(numItems0 ltgt topnull))

58
Shape Graphs

• Shape graphs represent the states of the heap
• Each node in the shape graph represents a
  dynamically allocated memory location
• Heap variables point to nodes of the shape graph
• The edges between the nodes show the locations
  pointed by the fields of the nodes

heap variables add and top point to node
n1 add.next is node n2 top.next is also node
n2 add.next.next is null
add
top
next
n1
n2
next
59
Composite Symbolic Library
Symbolic

• union()
• isSatisfiable()
• isSubset()
• forwardImage()

BoolSym
HeapSym
IntSym
representation BDD
representation list of ShapeGraph
representation list of Polyhedra

• union()

• union()

• union()

CUDD Library
OMEGA Library
60
Forward Fixpoint
arithmetic constraint representation
A set of shape graphs
BDD
add
top
?
?
pcl1 ? mutex
numItems2
61
Post-condition Computation Example
set of states
add
top
?
?
pcl4 ? ?mutex
numItems2
transition relation
?
pcl4 and mutex pcl1
?
numItemsnumItems1
?
pcl1 ? mutex
numItems3
62
Fixpoints Do Not Converge

• We have two reasons for non-termination
• integer variables can increase without a bound
• the number of nodes in the shape graphs can
  increase without a bound
• The state space is infinite
• Even if we ignore the heap variables,
  reachability is undecidable when we have
  unbounded integer variables
• So, we use conservative approximations

63
Conservative Approximations

• Compute a lower ( p? ) or an upper ( p )
  approximation to the truth set of the property (
  p )
• Model checker can give three answers

I
p
p?
p
I
p?
The property is satisfied
I dont know
sates which violate the property
I
p
? p?
p
The property is false and here is a
counter-example
64
Conservative Approximations

• Truncated fixpoint computations
• To compute a lower bound for a least-fixpoint
  computation
• Stop after a fixed number of iterations
• Widening
• To compute an upper bound for the least-fixpoint
  computation
• We use a generalization of the polyhedra widening
  operator by
• Cousot and Halbwachs POPL77
• Summarization
• Generate summary nodes in the shape graphs which
  represent more than one concrete node

65
Summarization

• The nodes that form a chain are mapped to a
  summary node
• No heap variable points to any concrete node that
  is mapped to a summary node
• Each concrete node mapped to a summary node is
  only pointed by a concrete node which is also
  mapped to the same summary node
• During summarization, we also introduce an
  integer variable which counts the number of
  concrete nodes mapped to a summary node

66
Summarization Example
add
top
?
?
pcl1 ? mutex
numItems3
summarized nodes
After summarization, it becomes
add
top
?
?
pcl1 ? mutex
numItems3 ? summarycount2
a new integer variable representing the number of
concrete nodes encoded by the summary node
summary node
67
Simplification
add
top
numItems3 ? summaryCount2
?
?
pcl1 ? mutex
?
add
top
?
numItems4 ? summaryCount3
?

pcl1 ? mutex

add
top
?

• (numItems4
• summaryCount3
• numItems3
• ? summarycount2)

?

pcl1 ? mutex
68
Simplification On the Integer Part
add

• (numItems4
• summaryCount3
• numItems3
• ? summaryCount2)

top
?
?

pcl1 ? mutex

add
top
?
?

• numItemssummaryCount1
• 3 ? numItems
• numItems ? 4

pcl1 ? mutex

69
Widening

• Fixpoint computation still will not converge
  since numItems and summaryCount keep increasing
  without a bound
• We use the widening operation
• Given two composite atoms c1 and c2 in
  consecutive fixpoint iterates, assume that
• c1 b1 ? i1 ? h1
• c2 b2 ? i2 ? h2
• where b1 b2 and h1 h2 and i1 ? i2
• Assume that i1 is a single polyhedron and i2 is
  also a single polyhedron

70
Widening

• Then
• i1 ? i2 is defined as all the constraints in i1
  which are also satisfied by i2
• Replace i2 with i1 ? i2 in c2
• This generates an upper approximation to the
  forward-fixpoint computation

71
Widening Example
add
top
?
?

• numItemssummaryCount1
• 3 ? numItems
• numItems ? 4

pcl1 ? mutex
?
add
?
?
top

• numItemssummaryCount1
• 3 ? numItems
• numItems ? 5

pcl1 ? mutex

add
top
?
?

• numItemssummaryCount1
• 3 ? numItems

pcl1 ? mutex

Now, fixpoint converges
72
Verified Properties
73
Experimental Results
Verification times in secs
HC heap control IC integer control
74
Verifying Linked Lists with Multiple Fields

• Pattern-based summarization
• User provides a graph grammar rule to describe
  the summarization pattern
• L x next x y, prev y x, L y
• Represent any maximal sub-graph that matches the
  pattern with a summary node
• no node in the sub-graph pointed by a heap
  variable

75
Summarization Pattern Examples
...
n
n
n
L x ? x.n y, L y
...
n
n
n
L x ? x.n y, y.p x, L y
p
p
p
...
n
n
n
L x ? x.n y, x.d z, L y
d
d
d
76
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

77
Shape Analysis

• There is a lot of work on Shape analysis, I will
  just mention the ones which directly influenced
  us
• Sagiv,Reps, Wilhelm TOPLAS98 , Dor, Rodeh,
  Sagiv SAS00
• Verification of concurrent linked lists with
  arbitrary number of processes in
• Yahav POPL01
• 3-valued logic and instrumentation predicates
• Sagiv,Reps, Wilhelm TOPLAS, Lev-Ami, Reps,
  Sagiv, Wilhelm ISSTA 00
• Automatically generating instrumentation
  predicates
• Sagiv,Reps, Wilhelm ESOP 03

78
Shape Analysis

• Deutch used integer constraint lattices to
  compute aliasing information using symbolic
  access paths
• Deutch PLDI94
• The idea of summarization patterns is based on
  the shape types introduced in
• Fradet and Metayer POPL 97

79
Model Checking Software Specifications

• Atlee, Gannon 93
• Translating SCR mode transition tables to input
  language of explicit state model checker EMC
  Clarke, Emerson, Sistla 86
• Chan et al. 98,00
• Translating RSML specifications to input
  language of SMV
• Bharadwaj, Heitmeyer 99
• Translating SCR specifications to Promela, input
  language of automata-theoretic explicit state
  model checker SPIN

80
Specification Languages

• Specification languages for verification
• Milner 80 CCS
• Chandy and Misra 88 Unity
• Lamport 94 Temporal Logic of Actions (TLA)
• Specification languages for model checking
• Holzmann 98 Promela
• McMillan 93 SMV
• Alur and Henzinger 96, 99 Reactive Modules

81
Action Language TLA Connection

• Similarities
• Transition relation is defined using predicates
  on current (unprimed) and next state (primed)
  variables
• Each predicate is defined using integer
  arithmetic, boolean logic, etc.
• Differences In Action Language
• Temporal operators are not used in defining the
  transition relation
• Dual language approach temporal properties (in
  CTL) are redundant, they are used to check
  correctness
• Synchronous and asynchronous composition
  operators are not equivalent to logical operators

82
Constraint-Based Verification

• Cooper 71
• Used a decision procedure for Presburger
  arithmetic to verify sequential programs
  represented in a block form
• Cousot and Halbwachs 78
• Used real arithmetic constraints to discover
  invariants of sequential programs
• Halbwachs 93
• Constraint based delay analysis in synchronous
  programs
• Halbwachs et al. 94
• Verification of linear hybrid systems using
  constraint representations
• Alur et al. 96
• HyTech, a model checker for hybrid systems

83
Constraint-Based Verification

• Boigelot and Wolper 94
• Verification with periodic sets
• Boigelot et al.
• Meta-transitions, accelerations
• Delzanno and Podelski 99
• Built a model checker using constraint logic
  programming framework
• Boudet Comon, Wolper and Boigelot 00
• Translating linear arithmetic constraints to
  automata

84
Automata-Based Representations

• Klarlund et al.
• MONA, an automata manipulation tool for
  verification
• Boudet Comon
• Translating linear arithmetic constraints to
  automata
• Wolper and Boigelot 00
• verification using automata as a symbolic
  representation
• Kukula et al. 98
• application of automata based verification to
  hardware verification

85
Combining Symbolic Representations

• Chan et al. CAV97
• both linear and non-linear constraints are mapped
  to BDDs
• Only data-memoryless and data-invariant
  transitions are supported
• Bharadwaj and Sims TACAS00
• Combines automata based representations (for
  linear arithmetic constraints) with BDDs
• Specialized for inductive invariant checking
• Bensalem et al. 00
• Symbolic Analysis Laboratory
• Designed a specification language that allows
  integration of different verification tools

86
Model Checking Programs

• Verisoft from Bell Labs Godefroid POPL 97
• C programs, handles concurrency, bounded search,
  bounded recursion, stateless search
• Java Path Finder (JPF) at NASA Ames Havelund,
  Visser
• Explicit state model checking for Java programs,
  bounded search, bounded recursion, handles
  concurrency
• SLAM project at Microsoft Research
• Ball, Rajamani et al. SPIN 00, PLDI 01
• Symbolic model checking for C programs, unbounded
  recursion, no concurrency
• Uses predicate abstraction Saidi, Graf 97 and
  BDDs
• BANDERA A tool for extracting finite state
  models from programs Dwyer, Hatcliff et al ICSE
  00, 01

87
Outline

• Difficulties in concurrent programming
• A short history of model checking
• 5 key ideas 2 key tools
• Action Language
• Composite Symbolic Library
• Application to concurrency controllers
• Application to concurrent linked lists
• Related work
• Current and future work

88
Current and Future Work

• Automata representation for linear arithmetic
  constraints
• Interface based specification and verification of
  concurrency controllers
• Specification and verification of web services

89
Automata Representation for Arithmetic Constraints

• Bartzis, Bultan, CIAA 02, Bartzis, Bultan,
  IJFCS
• Bartzis, Bultan TACAS 03, Bartzis, Bultan CAV
  03
• Given a linear arithmetic formula construct a
  deterministic finite automaton that accepts the
  integers that satisfy the formula.
• Used MONA package
• Complexity results

1 0
0 0
0 0
1 0
1 1
0 1
0 1
1 1
0 1 0, 0
0 1 0, 0
0 1 1, 1
0 1 1, 1
A finite automaton for 2x - 3y 2
sink
0 0 1 1 0, 1, 0, 1
90
Concurrency Controllers and Interfaces

• Betin-Can, Bultan SoftMC 03
• Concurrency Controller
• Behavior How do the shared variables change
• Interface In which order are the methods invoked
• Separate Verification
• Behavior verification
• Action Language Verifier
• Interface verification
• Java PathFinder
• A modular approach
• Build complex concurrency controllers by
  composing interfaces

91
Example Interface
92
Verification of Web Services

• Fu, Bultan, Hull, Su TACAS 01, WES 02,
  Bultan,Fu,Hull, Su WWW 03, Fu, Bultan, Su CIAA
  03
• Verification of Vortex workflows using SMV and
  Action Language Verifier
• A top-down approach to specification and
  verification of composite web services
• Specify the composite web service as a
  conversation protocol
• Generate peer specifications from the
  conversation protocol
• Realizability conditions
• Working on the application of this framework to
  BPEL

93
msg1
msg4
Peer A
Peer B
Peer C
Conversation Schema
msg2, msg6
msg3, msg5
LTL property
B?Amsg2
B?Cmsg5
?
Conversation Protocol
G(msg1 ?F(msg3 ? msg5))
A?Bmsg1
B?Amsg6
Model Checking
B?Cmsg3
C? Bmsg4
Peer Synthesis
Peer A
Peer B
Peer C
?msg1
!msg1
Input Queue
!msg3
?msg3
!msg2
?msg2
!msg5
?msg5
?msg4
!msg4
?msg6
!msg6
...
Virtual Watcher
94

• The End