Virtual Machines Matthew Dwyer 324E Nichols Hall [email protected] dwyer.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright...
17
CIS 842: Specification CIS 842: Specification and Verification of and Verification of Reactive Systems Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.
-
Upload
archibald-skinner -
Category
Documents
-
view
212 -
download
0
Transcript of CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright...
CIS 842: Specification and CIS 842: Specification and Verification of Reactive SystemsVerification of Reactive Systems
Lecture 1: Course Overview
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.
Software is ...Software is ...
…one of the most complex man made artifacts
“It’s different [from other engineering disciplines] in that we take on novel tasks every time. The number of times [civil engineers] make mistakes is very small. And at first you think, what’s wrong with us? It’s because it’s like we’re building the first skyscraper every time.” -- Bill Gates (Microsoft, 1992)
“I believe the [spreadsheet product] I’m working on now is far more complex than a 747 (jumbo jet airliner)” -- Chris Peters (Microsoft, 1992)
Goal: Goal: Increase Software ReliabilityIncrease Software Reliability
Trends:
Size, complexity, concurrency, distributed
Cost of software engineer……………………….
Cost of CPU cycle………………………………..
Future: Automated Fault Detection
Reasoning About Concurrent Reasoning About Concurrent Systems is HardSystems is Hard
class Job extends Thread { Container objref; Object x;
public Job incr () { synchronized (objref) { objref.counter = objref.counter + 1; } return this; }
public void setref(Container o) { objref = o; }
public void run() { for (i=0;i++;i<3) { incr(); } }}
class Container { public int counter;}
class Apprentice { public static void main(String[] args) { Container c1 = new Container(); Container c2 = new Container(); Job j1 = new Job(); Job j2 = new Job(); j1.setref(c2); j2.setref(c1); j1.start(); j2.start(); j1.setref(c1); } }}
Does the value of counter ever decrease? Source: J.S. Moore, George Porter “Proving Properties of Java Threads”.
The DreamThe Dream
Program
Requirement
Checker
OK
Error trace
or
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Property 1: …Property 2: ……
Model CheckingModel Checking
OK
Error trace
orFinite-state model
Temporal logic formula
Model Checker
Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…
Spin ExampleSpin Example
proctype A(chan in, out){ byte mt; /* message data */ bit vr; L1: mt = (mt+1%MAX); out!mt,1; goto L2; L2: in?vr; if :: (vr == 1) goto L1 :: (vr == 0) goto L3 :: printf(“Error”); goto L5 fi; L3: out!mt,1; goto L2; L4: in?vr; if :: goto L1; :: printf(“Error”); goto L5 fi; L5: out!mt,0; goto L4}
L1 L4
L2
L3
L5
?b1
?err
?b0
?b1 !a1
?a1?b0
?err
!a0
Fragment of Alternating Bit Protocol
Explicit State Model-checking Explicit State Model-checking
L1 L4
L2
L3
L5
?b1
?err
?b0
?b1 !a1
?a1?b0
?err
!a0
Fragment of Alternating Bit Protocol
[L1, (mt1, vr1), ….]
Pending Seen Before
Implementation
Explored State-Space (computation tree)
Conceptual View
Explicit State Model-checking Explicit State Model-checking
L1 L4
L2
L3
L5
?b1
?err
?b0
?b1 !a1
?a1?b0
?err
!a0
Fragment of Alternating Bit Protocol
[L2, (mt2, vr2), ….]
Explored State-Space (computation tree)
Pending Seen Before
Implementation
Conceptual View
[L1, (mt1, vr1), ….]
[L1, (mt1, vr1), ….]
Explicit State Model-checking Explicit State Model-checking
L1 L4
L2
L3
L5
?b1
?err
?b0
?b1 !a1
?a1?b0
?err
!a0
Fragment of Alternating Bit Protocol
[L3, (mt3, vr3), ….]
Explored State-Space (computation tree)
Pending Seen Before
Implementation
Conceptual View
[L1, (mt1, vr1), ….]
[L1, (mt1, vr1), ….]
[L2, (mt2, vr2), ….]
[L2, (mt2, vr2), ….][L5, (mt5, vr5), ….]
[L1, (mt1’, vr1’), ..]
Explicit State Model-checking Explicit State Model-checking
[L3, (mt3, vr3), ….]
Explored State-Space (computation tree)
Pending Seen Before
Implementation
Conceptual View
[L1, (mt1, vr1), ….]
[L1, (mt1, vr1), ….]
[L2, (mt2, vr2), ….]
[L2, (mt2, vr2), ….][L5, (mt5, vr5), ….]
[L3, (mt3, vr3), ….]
L1 L4
L2
L3
L5
?b1
?err
?b0
?b1 !a1
?a1?b0
?err
!a0
Fragment of Alternating Bit Protocol[L1, (mt1’, vr1’), ..]
Explicit State Model-checking Explicit State Model-checking
[L3, (mt3, vr3), ….]
Explored State-Space (computation tree)
Pending Seen Before
Implementation
Conceptual View
[L1, (mt1, vr1), ….]
[L1, (mt1, vr1), ….]
[L2, (mt2, vr2), ….]
[L2, (mt2, vr2), ….][L3, (mt3, vr3), ….]
[L5, (mt5, vr5), ….]
[L5, (mt5, vr5), ….]
L1 L4
L2
L3
L5
?b1
?err
?b0
?b1 !a1
?a1?b0
?err
!a0
Fragment of Alternating Bit Protocol
[L1, (mt1’, vr1’), ..]
Why Try to Use Why Try to Use Model Checking for Software?Model Checking for Software?
In contrast to testing, gives complete coverage by exhaustively exploring all paths in system,
It’s been used for years with good success in hardware and protocol design
Automatically check, e.g., – invariants, simple safety & liveness properties – absence of dead-lock and live-lock, – complex event sequencing properties,
“Between the window open and the window close, button X can be pushed at most twice.”
This suggests that model-checking can complement existing software quality assurance techniques.
In this course ...In this course ...
You will study various tools and techniques for debugging and verifying properties of concurrent systems (software, in particular).– Spin: system designed for verifying protocols based
on communicating FSA– Bandera: tool set for checking concurrent Java
software that compiles Java to Spin, dSpin, etc.– JPF: model-checker that works directly on Java
bytecodes
In this course ...In this course ...
You will learn the basic algorithms and data structures used in a model-checker– You will program several versions of a model-
checker for a simple programming language– Small programming assignments using OCAML – a
dialect of ML (you will learn OCAML by yourself during the course).
– You will study the formal semantics of various abstraction and slicing techniques used for software model-checking
In this course ...In this course ...
In a project component, you will apply Bandera and other model-checking engines (e.g., Spin, dSpin, JPF) to check properties of medium-size Java systems.– Formalize system requirements in Bandera’s specification
language– Identity appropriate code units and test harnesses for to
be used in checking– Perform abstractions and other model-reduction
techniques required for obtaining a tractable model– Write multiple documents describing each phase of the
project
Summary Summary
Software is becoming pervasive and very complex
Model-checking is a promising technique for modeling, debugging, and verifying properties of concurrent systems
We will learn the basic principles of explicit state model-checking and methods for applying it effectively to real-world concurrent software
Explore current research topics that may impact the future of software model-checking
