Efficient Modular Glass Box Software Model Checking - PowerPoint Presentation

Slide1

Efficient Modular Glass Box Software Model Checking

Michael Roberson

Chandrasekhar Boyapati

The University of MichiganSlide2

Software Model Checking

Exhaustively test programs

On all possible inputs

On all possible schedules

Up to finite boundsSlide3

Binary Tree State Space

Initial State

State Space ExplosionSlide4

State Space Reduction

Many software model checkers

Verisoft

, JPF, CMC, SLAM, Blast, Magic, …

Many state space reduction techniques

Partial order reduction

Predicate abstraction

Effective for

control-oriented

properties

Our work is on

Glass Box Software Model Checking

Effective for

data-oriented properties

Significantly more efficient than previous model checkersSlide5

Modular Glass Box Checking

Check modules against abstractions

Check program replacing modules with abstractions

Modular glass box model checking is

important

Further improve scalability of glass box checking

Modular glass box model checking is

nontrivialSlide6

Modular Checking

Initial State of Module

Initial State of Abstraction

Check outputs at each step

Modular checking in traditional model checkersSlide7

Modular Glass Box Checking

We can't reach this transition!

We

cannot

use reachability through transitions

Programmers must provide a class invariant

State space includes all states that satisfy the invariant

Programmers must provide an abstraction function

We use it to generate the abstraction of each stateSlide8

Equal

Modular Glass Box Checking

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

c1

c2

a1

a2

a2'

Operation

Operation

Abstraction

Abstraction

a1_output

c1_outputSlide9

Outline

Motivation

Example

Approach

Experimental Results

Related Work

ConclusionsSlide10

Integer Counter

class

IntegerCounter

{

Map

map

=

new

SearchTree

();

int

max_frequency

= 0;

int most_frequent = 0;

void count(int

i) { Integer frequency = (Integer)map.get(i);

if (frequency == null

) frequency = new Integer(0); map.insert(i, new Integer(frequency+1));

if (frequency >= max_frequency

) { max_frequency = frequency;

most_frequent = i; } }

int get_most_frequent

() { return most_frequent

; } int

get_max_frequency() { return

max_frequency; }}

new

AbstractMap();

Count an integer

Return most frequent integer

Return frequency of most frequent integer

Frequencies are stored in a Map

Modular Approach:

Replace Module with AbstractionSlide11

Module vs Abstraction

SearchTree

Implements

Map

get, insert, delete

Balanced binary tree

Efficient execution

Larger state space

AbstractMap

Implements

Map

get, insert, delete

Linked list

Simple execution

Smaller state space

5

2

6

1

4

1

2

4

5

6

vsSlide12

Checking SearchTree

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

Equal

c2

a1

a2

a2'

Operation

Operation

Abstraction

Abstraction

5

2

6

1

4

c1Slide13

Checking SearchTree

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

5

2

6

1

4

Equal

c2

a1

a2

a2'

Operation

Operation

Abstraction

Abstraction

1

2

4

5

6Slide14

Equal

a2

insert(3,x)

Checking SearchTree

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

1

2

3

4

5

6

c2

a2'

Operation

Operation

Abstraction

Abstraction

1

2

4

5

6Slide15

Checking SearchTree

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

Equal

insert(3,x)

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

1

2

3

4

5

6

a2'

Abstraction

Abstraction

1

2

4

5

6

a1_output

c1_outputSlide16

Checking SearchTree

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

Equal

insert(3,x)

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

1

2

3

4

5

6

a2'

Abstraction

Abstraction

1

2

4

5

6

1

2

3

4

5

6Slide17

Checking SearchTree

Choose a state

Generate abstraction

Run one operation

Check outputs

Generate abstraction on post-state

Check for equality

Equal

insert(3,x)

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

1

2

3

4

5

6

Abstraction

Abstraction

1

2

4

5

6

1

2

3

4

5

6

Slide18

Glass Box Pruning

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

insert(3,x)

5

2

1

4

5

2

1

4

3

insert(3,x)

5

2

6

4

3

7

5

2

6

4

7

An insert operation only touches one path

Insert behaves similarly on many statesSlide19

insert(3,x)

5

2

6

4

3

7

5

2

6

4

7

insert(3,x)

5

2

1

4

5

2

1

4

3

Glass Box Pruning

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

PRUNED

We don't need to check more than one of these

We can prune all others from the state spaceSlide20

insert(3,x)

5

2

6

4

3

7

5

2

6

4

7

insert(3,x)

5

2

1

4

5

2

1

4

3

Glass Box Pruning

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

PRUNED

We check each tree path, not each tree

This reduces the state space dramaticallySlide21

Checking IntegerCounter

5

2

6

1

4

IntegerCounter'

1

2

4

5

6

IntegerCounter with SearchTree

IntegerCounter with AbstractMap

Smaller

state space

Better

state space reduction

Faster

analysis

vs

2

4

1

6

5

4

5

1

6

2

4

2

5

1

6

5

2

6

1

4

5

2

6

1

4

4

2

6

1

5

1

2

4

5

6

IntegerCounterSlide22

Outline

Motivation

Example

Approach

Program specification

Search algorithm

State space representation

State space reduction

Experimental Results

Related Work

ConclusionsSlide23

Module Implementation

class

SearchTree

implements

Map {

class

Node {

int

key;

Object value;

Node left;

Node right;

}

Node root;

Object get(int key) {

/* ... */ }

void insert(int key, Object value) {

/* ... */ }

void remove(int key) {

/* ... */ }}

Map interface methods

c1

c2

OperationSlide24

Equal

a2

a2'

Abstraction

class

AbstractMap

implements

Map {

class

Node {

Object key;

Object value;

Node next;

}

Node head;

Object get(

int

key) {

/* ... */

}

void

insert(

int key, Object value) {

/* ... */ } void

remove(int key) { /* ... */

} @Declarative

boolean equalTo(AbstractMap m) { /* ... */ }

}

Map interface methods

Equality test

Declarative

methods

Subset of Java

Free of side effects

Used for specification

Aid our analyses

a1

a2

OperationSlide25

Module Specification

class

SearchTree

implements

Map {

class

Node {

int

key;

Object value;

Node left;

Node right;

}

Node root;

/* ... Map operations ... */

@Declarative boolean repOk() {

/* ... */ }

AbstractMap abstraction() { /* ... */ }

}

Module Invariant

Abstraction function

c1

a1

AbstractionSlide26

Approach

Program specification

Search algorithm

State space representation

State space reductionSlide27

Search Algorithm

5

2

6

1

4

Choose an unchecked valid state

insert(3,x)

@Declarative

boolean

repOk() {

/* ... */

}Slide28

Search Algorithm

5

2

6

1

4

Generate its abstraction

insert(3,x)

1

2

4

5

6

AbstractMap abstraction() {

/* ... */

}Slide29

Search Algorithm

5

2

6

1

4

Run the operation on both states

insert(3,x)

5

2

6

1

4

3

1

2

3

4

5

6

void

insert(

int

key, Object value) {

/* ... */

}

1

2

4

5

6Slide30

Search Algorithm

Generate the post-state abstraction

insert(3,x)

AbstractMap abstraction() {

/* ... */

}

5

2

6

1

4

5

2

6

1

4

3

1

2

3

4

5

6

1

2

4

5

6

1

2

3

4

5

6Slide31

Search Algorithm

Check invariant and abstraction equality

insert(3,x)

@Declarative

boolean

repOk() {

/* ... */

}

@Declarative

boolean

equalTo

(

AbstractMap

m) {

/* ... */

}

5

2

6

1

4

5

2

6

1

4

3

1

2

3

4

5

6

1

2

4

5

6

1

2

3

4

5

6Slide32

insert(3,x)

5

2

1

4

5

2

1

4

3

insert(3,x)

5

2

6

4

3

7

5

2

6

4

7

State Space Reduction

5

2

6

1

4

insert(3,x)

5

2

6

1

4

3

PRUNED

Identify and prune similar statesSlide33

Search Algorithm

Let

S

be the states that satisfy

repOk

()

While

S

is not empty

Choose a state

s

in

S

.

Check

s

.

Let P be the set of states similar to s

S = S - P

Need efficient representation and operations for these sets!Slide34

Approach

Program specification

Search algorithm

State space representation

State space reductionSlide35

Representation

Represent a set as a boolean formula

Encode each field as bits (

b0

,

b1

, …)

Constrain the bits using boolean operations

n1.left = null || n1.key > n2.key

Ø

b4

Ú

(b1

Ù Øb7) Ú

((b1 Ú Ø

b7) Ù b0 Ù

Øb6)

key = {b0,b1}

value = {b2,b3}

left = {b4}

right = {b5}

n1

key = {b6,b7}

value = {b8,b9}

left = {}

right = {}

n2

...Slide36

Representation

Initialize to set of states that satisfy invariant

Construct a formula describing invariant

boolean formula

@Declarative

boolean

repOk() {

/* ... */

}Slide37

Representation

Initialize to set of states that satisfy invariant

Construct a formula describing invariant

Declarative methods

No assignment, object creation, or loops

Declarative methods allow efficient translation

Declarative methods produce compact formulas

@Declarative

boolean

repOk() {

/* ... */

}Slide38

Search Algorithm

Use a SAT solver

Add

¬P

to the SAT solver

Let

S

be the states that satisfy

repOk

()

While

S

is not empty

Choose a state

s

in

S

.

Check

s

.

Let

P

be the set of states similar to

s

S

=

S

-

PSlide39

Approach

Program specification

Search algorithm

State space representation

State space reduction

Dynamic analysis

Static analysisSlide40

Dynamic Analysis

Discover and prune states that are similar

Symbolic execution

Generates a path constraint,

P

P

holds for states that traverse the same code path

P

is the set of similar states to be pruned

5

2

6

1

4

insert(3,x)Slide41

Dynamic Analysis

Discover and prune states that are similar

Symbolic execution

Generates a path constraint,

P

P

holds for states that traverse the same code path

P

is the set of similar states to be pruned

n1

n2

n3

n4

n5

op(key,value)

op = insert

&& root = n1 && key < n1.key

&& n1.left = n2 && key > n2.key

&& n2.right = n5 && key < n5.key

&& n5.left = null

Operation is insert

Node exists, is greater/less than key

Final node does not exist (yet)Slide42

Static Analysis

Dynamic analysis finds

P

, the similar states

Pruning these states is not always correct!

class

WhyStaticAnalysis {

boolean

a, b;

void

operation() {

if (a) a = false;

else a = true;

}

@Declarative

boolean repOk() { return a || b;

}}

a = true

b = true

a = false

b = true

a = true

b = false

a = false

b = false

a = true

P :=

We use a static analysis to ensure correctness

All pruned transitions checked together

Any error within finite bounds is caught



Slide43

Static Analysis

class

WhyStaticAnalysis {

boolean

a, b;

void

operation() {

if (a) a = false;

else a = true;

}

@Declarative

boolean

repOk() { return a || b;

}}

a = true

b = true

a = false

b = true

a = true

b

a = false

b

a = true

P :=



Prestate

of a pruned transition

Poststate

of a pruned transition

repOk

= (a || b)

repOk

Pre

=

(a || b)

a=true

= true

repOk

Post

=

(a || b)

a=false

= b

repOk

Pre

®

repOk

Post

=

b

Not valid when b = false!

Invariant

Prestate Invariant

Poststate Invariant

Correct TransitionSlide44

Static Analysis

For every valid prestate in

P

, the following hold

The invariant is maintained in the poststate

Equality of abstractions

repOk

pre

® repOk

post && abs_post.equalTo(abs_post')

Use a SAT solver to check

If it holds then pruning is sound

If not, we have a counterexample

Equal

pre

post

abs

pre

abs

post

abs

post'

Operation

Operation

Abstraction

Abstraction

boolean formulaSlide45

Outline

Motivation

Example

Approach

Experimental Results

Related Work

ConclusionsSlide46

Checking Modules vs Abstractions

TreeMap

Implemented with a red-black tree

HashMap

Implemented with a hash table

AbstractMap

Implemented with a linked list of (key, value) pairsSlide47

Checking Modules vs Abstractions

TreeSet

Implemented with a TreeMap

HashSet

Implemented with a HashMap

AbstractSet

Implemented with a linked list of set itemsSlide48

Maps vs AbstractMap

Benchmark

Max Number of Nodes

JPF

Korat

Blast

Glass Box Checker

TreeMap

vs

AbstractMap

1

2

3

4

…

8

9

…

15

31

63

1.218

5.556

memory out

0.608

0.613

0.676

0.732

…

2202.31

timeout

aborted

0.188

0.244

0.392

0.485

…

1.124

1.491

…

4.571

40.405

787.411

HashMap

vs

AbstractMap

1

2

3

4

…

10

11

12

…

16

32

64

0.674

6.514

memory out

0.465

0.497

0.539

0.810

…

150.932

1203.986

timeout

aborted

0.176

0.227

0.256

0.305

…

0.780

0.953

1.162

…

2.879

75.139

2004.723

We check over 2

35

trees in under 15 minutesSlide49

Sets vs AbstractSet

Benchmark

Max Number of Nodes

JPF

Korat

Blast

Glass Box Checker

TreeSet

vs

AbstractSet

1

2

3

4

…

13

14

15

…

31

63

0.537

0.950

26.816

memory out

0.638

0.648

0.693

1.020

…

615.524

1706.41

timeout

aborted

0.195

0.246

0.393

0.489

…

3.065

3.399

4.481

…

39.789

796.955

HashSet

vs

AbstractSet

1

2

3

4

…

13

14

15

16

…

32

64

0.728

0.781

6.574

memory out

0.520

0.511

0.716

0.570

…

238.420

593.045

952.317

timeout

aborted

0.171

0.221

0.248

0.299

…

1.344

1.608

2.029

2.816

…

68.011

2543.034Slide50

Checking Clients

Benchmark

Max Size

Original

Program

Maps Replaced with AbstractMap

IntegerCounter

1

2

3

…

7

15

31

63

127

255

0.198

0.279

0.469

…

1.182

5.591

41.5

632.488

timeout

0.113

0.154

0.164

…

0.267

0.539

1.867

10.794

93.276

946.091

DualCache

1

2

3

…

7

15

31

63

127

255

0.203

0.283

0.503

…

1.207

5.765

53.434

723.267

timeout

0.222

0.323

0.327

…

0.529

1.015

4.057

26.192

215.521

2180.506Slide51

Checking Clients

Benchmark

Max Number of Nodes

Original

Program

Maps Replaced with AbstractMap

TreeSet

1

2

3

…

7

15

31

63

127

255

511

0.195

0.246

0.393

...

0.961

4.481

39.789

796.955

timeout

0.122

0.153

0.167

…

0.251

0.429

0.991

3.388

16.690

184.827

425.328

HashSet

1

2

3

4

5

…

16

32

64

128

256

512

0.171

0.221

0.248

0.299

0.363

…

2.816

68.011

2543.034

timeout

0.106

0.141

0.153

0.169

0.193

…

0.451

0.989

3.464

17.071

91.629

754.426Slide52

Related Work

State space reduction techniques

Abstraction & refinement

[SLAM; Blast; Magic]

Partial order reduction

[Godefroid97; Flanagan05]

Heap canonicalization

[Musuvathi05; Iosif02]

Symmetry reduction

[Ip93]Slide53

Related Work

Software model checkers

Verisoft

[Godefroid97]

Java Pathfinder

[Visser00]

CMC

[Musuvathi02]

Bandera

[Corbett00]

Bogor [Dwyer05]

SLAM [Ball01]

Blast [Henzinger02]

Magic [Chaki03]

Jalloy [Vaziri03]

Miniatur [Dolby07]Slide54

Conclusions

Significant improvement over traditional model checkers for checking complex data dependent properties

A promising approach to checking much larger programs and broader classes of program properties than is currently possible

Modular Glass Box Model Checking Offers: