Model%20construction%20and%20verification%20for%20dynamic%20programming%20languages

1
Model construction and verification for dynamic
programming languages

• Radu Iosif (iosif_at_cis.ksu.edu)

2
Outline

• Semantics of dynamic programs
• Extensions to the BIR language
• The dSPIN model checker
• Symmetry and Partial Order reductions
• Abstractions for dynamic languages

3
Semantics

• In a dynamic program the number of state
  components changes constantly along an execution
  path
• Configurations are described by means of partial
  mappings
• Transitions define also how components are
  added/removed from configurations

4
Domains and operations (exp)
Store Variables ?Values? Heap (Locations ?
Store?) X Locations Thread Control X
Store Pool (ThreadId ? Thread?) X
ThreadId State Store X Heap X Pool
new Heap? Heap X Locations start Pool ? Pool
X ThreadId
5
Bandera IR

• A dynamic guarded commands language (invented by
  James Corbett)
• Operational semantics definition
• led to the discovery of a number of
  inconsistencies, e.g. in the runtime type system
• Extended to handle dynamic threads in addition to
  heap objects

6
Future plans for BIR/back-end

• Recursive functions and polymorphism
• Exceptions
• issues related to the observation of exceptional
  events by a property
• Build a dSPIN target

7
dSPIN dynamic SPIN

• Extension of the SPIN model checker with support
  for
• pointers
• dynamic creation of objects
• recursive functions and polymorphic calls
• garbage collection
• www.cis.ksu.edu/iosif/dspin

8
dSPIN (cont.)

• Adding dynamic features to the input languages
  causes the state space to blow up
• On-the-fly reductions
• canonical symmetry reductions for heap
• model checking algorithm that combines heap with
  process symmetry
• use of partial order reductions in combination
  with heap symmetry

9
Symmetry and PO reduction

• Basic idea heap objects can be ordered (strictly
  and totally) based on their reachability chains
• Combining heap with process symmetry uses the
  idea of path unwinding
• This strategy makes symmetry reductions
  compatible with fairness
• Better PO reduction by extending the notion of
  independence to allocators

10
Future plans for dSPIN

• Define the semantics of and implement imprecise
  exceptions
• Add support for handling heap abstractions
• Use of pointer and escape analysis to further
  improve partial order reduction

11
Abstractions for dynamic languages

• Heap abstractions (shape graphs)
• investigate the use of program transformation vs.
  on-the-fly parametric techniques
• refinement of abstractions
• what kind of predicates should be added?
• how can the property guide the refinement?
• how can we use counterexamples?
• Other abstractions threads, locks, stack