Michael Roberson Chandrasekhar Boyapati The University of Michigan Software Model Checking Exhaustively test programs On all possible inputs On all possible schedules Up to finite bounds Binary Tree State Space ID: 778672
Download The PPT/PDF document "Efficient Modular Glass Box Software Mod..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Efficient Modular Glass Box Software Model Checking
Michael Roberson
Chandrasekhar Boyapati
The University of Michigan
Slide2Software Model Checking
Exhaustively test programs
On all possible inputs
On all possible schedules
Up to finite bounds
Slide3Binary Tree State Space
Initial State
State Space Explosion
Slide4State Space Reduction
Many software model checkers
Verisoft
, JPF, CMC, SLAM, Blast, Magic, …
Many state space reduction techniques
Partial order reduction
Predicate abstraction
Effective for
control-oriented
properties
Our work is on
Glass Box Software Model Checking
Effective for
data-oriented properties
Significantly more efficient than previous model checkers
Slide5Modular Glass Box Checking
Check modules against abstractions
Check program replacing modules with abstractions
Modular glass box model checking is
important
Further improve scalability of glass box checking
Modular glass box model checking is
nontrivial
Slide6Modular Checking
Initial State of Module
Initial State of Abstraction
Check outputs at each step
Modular checking in traditional model checkers
Slide7Modular Glass Box Checking
We can't reach this transition!
We
cannot
use reachability through transitions
Programmers must provide a class invariant
State space includes all states that satisfy the invariant
Programmers must provide an abstraction function
We use it to generate the abstraction of each state
Slide8Equal
Modular Glass Box Checking
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
c1
c2
a1
a2
a2'
Operation
Operation
Abstraction
Abstraction
a1_output
c1_output
Slide9Outline
Motivation
Example
Approach
Experimental Results
Related Work
Conclusions
Slide10Integer Counter
class
IntegerCounter
{
Map
map
=
new
SearchTree
();
int
max_frequency
= 0;
int most_frequent = 0;
void count(int
i) { Integer frequency = (Integer)map.get(i);
if (frequency == null)
frequency = new Integer(0); map.insert(i, new Integer(frequency+1));
if (frequency >= max_frequency
) { max_frequency = frequency;
most_frequent = i; } }
int get_most_frequent() {
return most_frequent;
} int
get_max_frequency() { return
max_frequency; }}
new
AbstractMap();
Count an integer
Return most frequent integer
Return frequency of most frequent integer
Frequencies are stored in a Map
Modular Approach:
Replace Module with Abstraction
Slide11Module vs Abstraction
SearchTree
Implements
Map
get, insert, delete
Balanced binary tree
Efficient execution
Larger state space
AbstractMap
Implements
Map
get, insert, delete
Linked list
Simple execution
Smaller state space
5
2
6
1
4
1
2
4
5
6
vs
Slide12Checking SearchTree
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
Equal
c2
a1
a2
a2'
Operation
Operation
Abstraction
Abstraction
5
2
6
1
4
c1
Slide13Checking SearchTree
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
5
2
6
1
4
Equal
c2
a1
a2
a2'
Operation
Operation
Abstraction
Abstraction
1
2
4
5
6
Slide14Equal
a2
insert(3,x)
Checking SearchTree
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
1
2
3
4
5
6
c2
a2'
Operation
Operation
Abstraction
Abstraction
1
2
4
5
6
Slide15Checking SearchTree
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
Equal
insert(3,x)
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
1
2
3
4
5
6
a2'
Abstraction
Abstraction
1
2
4
5
6
a1_output
c1_output
Slide16Checking SearchTree
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
Equal
insert(3,x)
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
1
2
3
4
5
6
a2'
Abstraction
Abstraction
1
2
4
5
6
1
2
3
4
5
6
Slide17Checking SearchTree
Choose a state
Generate abstraction
Run one operation
Check outputs
Generate abstraction on post-state
Check for equality
Equal
insert(3,x)
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
1
2
3
4
5
6
Abstraction
Abstraction
1
2
4
5
6
1
2
3
4
5
6
Slide18Glass Box Pruning
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
insert(3,x)
5
2
1
4
5
2
1
4
3
insert(3,x)
5
2
6
4
3
7
5
2
6
4
7
An insert operation only touches one path
Insert behaves similarly on many states
Slide19insert(3,x)
5
2
6
4
3
7
5
2
6
4
7
insert(3,x)
5
2
1
4
5
2
1
4
3
Glass Box Pruning
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
PRUNED
We don't need to check more than one of these
We can prune all others from the state space
Slide20insert(3,x)
5
2
6
4
3
7
5
2
6
4
7
insert(3,x)
5
2
1
4
5
2
1
4
3
Glass Box Pruning
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
PRUNED
We check each tree path, not each tree
This reduces the state space dramatically
Slide21Checking IntegerCounter
5
2
6
1
4
IntegerCounter'
1
2
4
5
6
IntegerCounter with SearchTree
IntegerCounter with AbstractMap
Smaller
state space
Better
state space reduction
Faster
analysis
vs
2
4
1
6
5
4
5
1
6
2
4
2
5
1
6
5
2
6
1
4
5
2
6
1
4
4
2
6
1
5
1
2
4
5
6
IntegerCounter
Slide22Outline
Motivation
Example
Approach
Program specification
Search algorithm
State space representation
State space reduction
Experimental Results
Related Work
Conclusions
Slide23Module Implementation
class
SearchTree
implements
Map {
class
Node {
int
key;
Object value;
Node left;
Node right;
}
Node root;
Object get(int key) {
/* ... */ }
void insert(int key, Object value) {
/* ... */ }
void remove(int key) {
/* ... */ }}
Map interface methods
c1
c2
Operation
Slide24Equal
a2
a2'
Abstraction
class
AbstractMap
implements
Map {
class
Node {
Object key;
Object value;
Node next;
}
Node head;
Object get(
int
key) {
/* ... */
}
void
insert(
int key, Object value) {
/* ... */ } void
remove(int key) { /* ... */
} @Declarative
boolean equalTo(AbstractMap m) { /* ... */ }
}
Map interface methods
Equality test
Declarative
methods
Subset of Java
Free of side effects
Used for specification
Aid our analyses
a1
a2
Operation
Slide25Module Specification
class
SearchTree
implements
Map {
class
Node {
int
key;
Object value;
Node left;
Node right;
}
Node root;
/* ... Map operations ... */
@Declarative boolean repOk() {
/* ... */ }
AbstractMap abstraction() { /* ... */ }}
Module Invariant
Abstraction function
c1
a1
Abstraction
Slide26Approach
Program specification
Search algorithm
State space representation
State space reduction
Slide27Search Algorithm
5
2
6
1
4
Choose an unchecked valid state
insert(3,x)
@Declarative
boolean
repOk() {
/* ... */
}
Slide28Search Algorithm
5
2
6
1
4
Generate its abstraction
insert(3,x)
1
2
4
5
6
AbstractMap abstraction() {
/* ... */
}
Slide29Search Algorithm
5
2
6
1
4
Run the operation on both states
insert(3,x)
5
2
6
1
4
3
1
2
3
4
5
6
void
insert(
int
key, Object value) {
/* ... */
}
1
2
4
5
6
Slide30Search Algorithm
Generate the post-state abstraction
insert(3,x)
AbstractMap abstraction() {
/* ... */
}
5
2
6
1
4
5
2
6
1
4
3
1
2
3
4
5
6
1
2
4
5
6
1
2
3
4
5
6
Slide31Search Algorithm
Check invariant and abstraction equality
insert(3,x)
@Declarative
boolean
repOk() {
/* ... */
}
@Declarative
boolean
equalTo
(
AbstractMap
m) {
/* ... */
}
5
2
6
1
4
5
2
6
1
4
3
1
2
3
4
5
6
1
2
4
5
6
1
2
3
4
5
6
Slide32insert(3,x)
5
2
1
4
5
2
1
4
3
insert(3,x)
5
2
6
4
3
7
5
2
6
4
7
State Space Reduction
5
2
6
1
4
insert(3,x)
5
2
6
1
4
3
PRUNED
Identify and prune similar states
Slide33Search Algorithm
Let
S
be the states that satisfy
repOk
()
While
S
is not empty
Choose a state
s
in
S
.
Check
s
.
Let P be the set of states similar to s S
= S - P
Need efficient representation and operations for these sets!
Slide34Approach
Program specification
Search algorithm
State space representation
State space reduction
Slide35Representation
Represent a set as a boolean formula
Encode each field as bits (
b0
,
b1
, …)
Constrain the bits using boolean operations
n1.left = null || n1.key > n2.key
Ø
b4
Ú
(b1
Ù Øb7) Ú
((b1 Ú Ø
b7) Ù b0 Ù
Øb6)
key = {b0,b1}
value = {b2,b3}
left = {b4}
right = {b5}
n1
key = {b6,b7}
value = {b8,b9}
left = {}
right = {}
n2
...
Slide36Representation
Initialize to set of states that satisfy invariant
Construct a formula describing invariant
boolean formula
@Declarative
boolean
repOk() {
/* ... */
}
Slide37Representation
Initialize to set of states that satisfy invariant
Construct a formula describing invariant
Declarative methods
No assignment, object creation, or loops
Declarative methods allow efficient translation
Declarative methods produce compact formulas
@Declarative
boolean
repOk() {
/* ... */
}
Slide38Search Algorithm
Use a SAT solver
Add
¬P
to the SAT solver
Let
S
be the states that satisfy
repOk
()
While
S
is not empty
Choose a state
s
in
S
.
Check
s
.
Let
P
be the set of states similar to
s
S
=
S
-
P
Slide39Approach
Program specification
Search algorithm
State space representation
State space reduction
Dynamic analysis
Static analysis
Slide40Dynamic Analysis
Discover and prune states that are similar
Symbolic execution
Generates a path constraint,
P
P
holds for states that traverse the same code path
P
is the set of similar states to be pruned
5
2
6
1
4
insert(3,x)
Slide41Dynamic Analysis
Discover and prune states that are similar
Symbolic execution
Generates a path constraint,
P
P
holds for states that traverse the same code path
P
is the set of similar states to be pruned
n1
n2
n3
n4
n5
op(key,value)
op = insert
&& root = n1 && key < n1.key
&& n1.left = n2 && key > n2.key
&& n2.right = n5 && key < n5.key
&& n5.left = null
Operation is insert
Node exists, is greater/less than key
Final node does not exist (yet)
Slide42Static Analysis
Dynamic analysis finds
P
, the similar states
Pruning these states is not always correct!
class
WhyStaticAnalysis {
boolean
a, b;
void
operation() {
if (a) a = false;
else a = true;
}
@Declarative boolean
repOk() { return a || b;
}}
a = true
b = true
a = false
b = true
a = true
b = false
a = false
b = false
a = true
P :=
We use a static analysis to ensure correctness
All pruned transitions checked together
Any error within finite bounds is caught
Slide43Static Analysis
class
WhyStaticAnalysis {
boolean
a, b;
void
operation() {
if (a) a = false;
else a = true;
}
@Declarative
boolean
repOk() { return a || b;
}}
a = true
b = true
a = false
b = true
a = true
b
a = false
b
a = true
P :=
Prestate
of a pruned transition
Poststate
of a pruned transition
repOk
= (a || b)
repOk
Pre
=
(a || b)
a=true
= true
repOk
Post
=
(a || b)
a=false
= b
repOk
Pre
®
repOk
Post
=
b
Not valid when b = false!
Invariant
Prestate Invariant
Poststate Invariant
Correct Transition
Slide44Static Analysis
For every valid prestate in
P
, the following hold
The invariant is maintained in the poststate
Equality of abstractions
repOk
pre
® repOk
post && abs_post.equalTo(abs_post')
Use a SAT solver to check
If it holds then pruning is sound
If not, we have a counterexample
Equal
pre
post
abs
pre
abs
post
abs
post'
Operation
Operation
Abstraction
Abstraction
boolean formula
Slide45Outline
Motivation
Example
Approach
Experimental Results
Related Work
Conclusions
Slide46Checking Modules vs Abstractions
TreeMap
Implemented with a red-black tree
HashMap
Implemented with a hash table
AbstractMap
Implemented with a linked list of (key, value) pairs
Slide47Checking Modules vs Abstractions
TreeSet
Implemented with a TreeMap
HashSet
Implemented with a HashMap
AbstractSet
Implemented with a linked list of set items
Slide48Maps vs AbstractMap
Benchmark
Max Number of Nodes
JPF
Korat
Blast
Glass Box Checker
TreeMap
vs
AbstractMap
1
2
3
4
…
8
9
…
15
31
63
1.218
5.556
memory out
0.608
0.613
0.676
0.732
…
2202.31
timeout
aborted
0.188
0.244
0.392
0.485
…
1.124
1.491
…
4.571
40.405
787.411
HashMap
vs
AbstractMap
1
2
3
4
…
10
11
12
…
16
32
64
0.674
6.514
memory out
0.465
0.497
0.539
0.810
…
150.932
1203.986
timeout
aborted
0.176
0.227
0.256
0.305
…
0.780
0.953
1.162
…
2.879
75.139
2004.723
We check over 2
35
trees in under 15 minutes
Slide49Sets vs AbstractSet
Benchmark
Max Number of Nodes
JPF
Korat
Blast
Glass Box Checker
TreeSet
vs
AbstractSet
1
2
3
4
…
13
14
15
…
31
63
0.537
0.950
26.816
memory out
0.638
0.648
0.693
1.020
…
615.524
1706.41
timeout
aborted
0.195
0.246
0.393
0.489
…
3.065
3.399
4.481
…
39.789
796.955
HashSet
vs
AbstractSet
1
2
3
4
…
13
14
15
16
…
32
64
0.728
0.781
6.574
memory out
0.520
0.511
0.716
0.570
…
238.420
593.045
952.317
timeout
aborted
0.171
0.221
0.248
0.299
…
1.344
1.608
2.029
2.816
…
68.011
2543.034
Slide50Checking Clients
Benchmark
Max Size
Original
Program
Maps Replaced with AbstractMap
IntegerCounter
1
2
3
…
7
15
31
63
127
255
0.198
0.279
0.469
…
1.182
5.591
41.5
632.488
timeout
0.113
0.154
0.164
…
0.267
0.539
1.867
10.794
93.276
946.091
DualCache
1
2
3
…
7
15
31
63
127
255
0.203
0.283
0.503
…
1.207
5.765
53.434
723.267
timeout
0.222
0.323
0.327
…
0.529
1.015
4.057
26.192
215.521
2180.506
Slide51Checking Clients
Benchmark
Max Number of Nodes
Original
Program
Maps Replaced with AbstractMap
TreeSet
1
2
3
…
7
15
31
63
127
255
511
0.195
0.246
0.393
...
0.961
4.481
39.789
796.955
timeout
0.122
0.153
0.167
…
0.251
0.429
0.991
3.388
16.690
184.827
425.328
HashSet
1
2
3
4
5
…
16
32
64
128
256
512
0.171
0.221
0.248
0.299
0.363
…
2.816
68.011
2543.034
timeout
0.106
0.141
0.153
0.169
0.193
…
0.451
0.989
3.464
17.071
91.629
754.426
Slide52Related Work
State space reduction techniques
Abstraction & refinement
[SLAM; Blast; Magic]
Partial order reduction
[Godefroid97; Flanagan05]
Heap canonicalization
[Musuvathi05; Iosif02]
Symmetry reduction
[Ip93]
Slide53Related Work
Software model checkers
Verisoft
[Godefroid97]
Java Pathfinder
[Visser00]
CMC
[Musuvathi02]
Bandera
[Corbett00]
Bogor [Dwyer05]
SLAM [Ball01]
Blast [Henzinger02]
Magic [Chaki03]
Jalloy [Vaziri03]
Miniatur [Dolby07]
Slide54Conclusions
Significant improvement over traditional model checkers for checking complex data dependent properties
A promising approach to checking much larger programs and broader classes of program properties than is currently possible
Modular Glass Box Model Checking Offers: