Pulse: Plural To EVMDD-SMC

Transcription

1 Pulse: Plural To EVMDD-SMC Automated Verification of Specifications with Typestates and Access Permissions Ijaz Ahmed 1 Néstor Cataño 1 Radu I. Siminiceanu 2 1 Carnegie Mellon University - Portugal, The University of Madeira 2 National Institute of Aerospace, Virginia, USA November 9, 2011

2 1 Background Model Checking Plural and EVMDD-SMC Access Permissions and TypeStates 2 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model 3 Pulse Working MTTS Case Study Results 4 Planned Extensions

3 Model Checking Plural and EVMDD-SMC Access Permissions and TypeStates Model Checking Automatic technique to verify correctness of a FSM Two Basic Phases Construction of model M of the system Test whether the model M verifies a given property P Popular for counter examples and traces Used to verify both hardware and software system Can be used to verify specification (The focus of our work)

4 Model Checking Plural and EVMDD-SMC Access Permissions and TypeStates Plural and EVMDD-SMC Plural A lightweight verification tool of Java programs by CMU Verify access permissions and typestates An Eclipse plug-in based on static analysis EVMDD-SMC A symbolic model checking tool by NIA Considered faster than well-known model checkers like SAL Less syntactic sugar and edge value decision diagrams

5 Model Checking Plural and EVMDD-SMC Access Permissions and TypeStates Access Permissions and TypeStates Access Permission Is a read or write capability of a reference to a an object Keep track of the various references to an object Can be used to reason (do) parallelism TypeStates Compiler checkable abstraction of the states of an object Provides a way to safe operation over an object Can be used to reason implementation

6 Model Checking Plural and EVMDD-SMC Access Permissions and TypeStates Simultaneous Access Permissions Taxonomy This reference Permission Other references Unique read/write Full read/write Pure Share read/write Share, Pure Pure read-only Full, Share, Pure, Immutable Immutable read-only Pure, Immutable

7 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Pulse Translates Plural specifications into EVMDD-SMC model Why Verification of an industrial application with Plural Tool 1 Plural has some limitations notably, Reachability Analysis Model checkers are good to do Reachability Analysis Uses the Antlr parser generator Works as an Eclipse plug-in 1 FMICS 2011, Italy

8 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Pulse Features (1) Do an exhaustive and tractable analysis of specifications (2) Check the deadlocked (sink) states (typestates) (3) Check the unreachable states (4) Check the unreachable methods (5) Check the possible concurrent methods (6) Reason program implementation (7) Check correct useage of the access permission

9 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Abstract Models of Plural Specification Access Permissions associated to object reference r j i : ap j i AP = {, Unique, Full, Pure, Immutable, Share} Typestate associated to object referencer j i : ts i T S i = { } {ti 1,..., th i i } Program Counter associated to method m i : (pc j i ) PC i = {Exe, notexe} ( { } {Mi 1,... Mm i i } )

10 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model States Space and Relations Set of potential global states S: c S = { }, ti 1,..., t h i i i=1 K (PC i AP) j=0 Transition relation between states: R S S.

11 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Translation full(this) in StateA, ensures= full(this) in StateB ) public void m(){... } StartMethod( s:globalstate, t:globaltypestate, r j i :Reference, m:method i, :Triple Triple ) guard s[i][j].ap s[i][j].pc = (notexe, ) t[i 0 ] = ts j 0 i0 compatible (s[i 0 ][j 0 ].ap, ap 0 ) compatible (s[i 1 ][j 1 ].ap, ap 1 ) update s [i][j].pc = (Exe, m) ChangePermission (s[i 0 ][j 0 ], ap 0 ) return guard update (( r j 0 i0, ts k 0 i 0, ap 0 ), ( r j 1 i1, ts k 1 i 1, ap 1 ))

12 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Translation Algorithm (Co.) EndMethod( s: GlobalState, t: GlobalTypestate, r j i : Reference, m : Method i, (( r j 0 i0, ts k ) ( 0, ap i 0, r j 1 0 i1, ts k )) 1, ap i 1 :Triple Triple ) 1 guard s[i][j].pc = (Exe, m) update t [i 1 ] = ts k 1 s [i i 1 ][j 1 ].ap = ap 1 s [i][j].pc = (notexe, m) 1 m) changepermission (s[i 1 ][j 1 ].ap, ap 1 ) return guard update

13 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Structure of Generated Model Variables Declaration (Initilisation) Section Transitions Relation Section Aliasing Section Properties Section (Properties of Interest based on CTL)

14 Abstract Models of Plural Specification States Space and Relations Translation Algorithm Structure of Generated Model Properties of Interest Sink States (Deadlock) deadlock : EX(true) Typesates Transition Matrix(Graph) adjacent i (t 1, t 2 ) : state i = t 1 EX(state i = t 2 ) Concurrency concurrent ( i (m 1, m 2 ) : ) EF pc j 1 i = (m 1, Exe) pc j 2 i = (m 2, Exe) Methods Reachability ( ) method j i : EX pc j i = (m i, Exe)

15 Pulse Working Background Pulse Working MTTS Case Study Results

16 Pulse Working MTTS Case Study Results = Empty = Filled ) }) public class MttsTaskDataX (ensures= Unique(this) in Empty ) MttsTaskDataX() { Full(this) in Empty ) Missing Ensures Clause??? i.e ensures= Full (this) in Filled public void settaskdata() { Created Ready Destroyed ) }) public class MttsTask { private MttsTaskDataX (ensures= Unique(this) in Created ) MttsTask() {... Full(this) in Created * Pure(d) in Filled, ensures= Full(this) in Ready ) public void setdata(mttstaskdatax d) {... Full(this) in Ready, ensures= Full(this) in Complete ) public void execute() {... Full(this) in Complete, ensures= Full(this) in Destroyed ) public void delete() {... } }

17 Method Reachability Test Pulse Working MTTS Case Study Results Number of states satisfying Reachability of MttsTaskDataX MttsTaskDataX: 3 Number of states satisfying Reachability of MttsTaskDataX settaskdata: 3 Number of states satisfying Reachability of MttsTask MttsTask: 5 Number of states satisfying Reachability of MttsTask setdata: 0 Number of states satisfying Reachability of MttsTask execute: 0 Number of states satisfying Reachability of MttsTask delete: 0

18 State Reachability Test Pulse Working MTTS Case Study Results MttsTaskDataX Filled Empty MttsTask Created Ready Complete Destroyed

19 State Reachability Test (Co) Pulse Working MTTS Case Study Results MttsTask Created Ready MttsTaskDataX Empty Complete Filled Destroyed

20 State Reachability Test (Co) Pulse Working MTTS Case Study Results IMutexImpl FS FS_MUTEX_NOT_ACQUIRED FS_NESTED_MUTEX_ACQUIRED FS_MUTEX_ACQUIRED FS_NOT_NESTED_MUTEX_ACQUIRED MUTEX_ACQUIRED MUTEX_NOT_ACQUIRED Figure: State Transition Graph of the class IMutexImpl

21 Pulse Working MTTS Case Study Results Multi-Task Threaded Server (MTTS) MTTS Task organization and distribution server Used in financial sector and is written by Novabase Organizes through queues and schedules through threads MTTS Implementation Three packages mtts-api, il(intelligent lock) and server mtts-api defines tasks and queues il implements a re-entrant mutex algorithm server package organizes and distributes tasks We wrote 546 lines of Plural specifications

22 Results Background Pulse Working MTTS Case Study Results Packages Classes Methods State #Properties Runtime (s) Violations Space SS MR STM SS MR STM SS MR STM library il mtts il, library il, library, mtts il, library, mtts, server

23 Planned Extensions Planned Extensions E1- First Extension Class fields and inheritance E2- Second Extension Typestate invariants E3- Third Extension Nested method calls

24 Planned Extensions Conclusion New window to evaluate Plural specifications Enhances existing strengths of Plural Approach is scalable Practically useful evaluated through MTTS Find numerous error Typesate and method reachability

25 Thanks Background Planned Extensions Questions and Suggestions