Model Checking for Programming Languages using VeriSoft

1
Model Checking for Programming Languages using
VeriSoft

• Kobi Afoota

2
Outline

• Introduction
• Concurrent systems Dynamic Semantics
• Existing techniques
• A state-less algorithm
• VeriSoft
• Conclusions

3
The verification problem

• Model checking an effective method
• Restricted to abstracted concurrent systems.
• The goal extend model-checking to the
  implementations of concurrent systems.
• Eventually, introducing a new algorithm.

4
What are Concurrent Systems?

• Composed of several elements.
• The elements can operate concurrently and
  communicate with each other.
• Each component can be viewed as a reactive
  system.
• The system is hard to design.
• Limited help from traditional testing techniques.

5
State-Space exploration

• Excellent strategy for analyzing correctness.
• Consists of exploring a directed graph.
• The graph represents the combined behavior of all
  concurrent components in the system.

6
State-Space exploration what for?

• Many properties of a model of a system can be
  checked
• Deadlocks
• Dead code
• Violations of user-specified assertions

7
The motivation

• Extend the existed model-checking techniques to
  deal with actual description of a concurrent
  systems.
• For example - the implementation of communication
  protocols written in C or C.
• Create an efficient search technique.

8
Outline

• Introduction
• Concurrent systems Dynamic Semantics
• Existing techniques
• A state-less algorithm
• VeriSoft
• Conclusions

9
The two-dining-philosophers The C program
10
The two-dining-philosophers The C program - cntd
11
The two-dining-philosophersGlobal state space
12
The VS_toss operation

• in practice, it is more convenient to use a
  model, a simplified representation.
• VS_toss a special operation to express
  nondeterminism.
• Vs_toss(n) may yield up to n1 different
  successor states, corresponding to different
  values returned by VS_toss.

13
the main focus in the verification

• The focus will be on the next properties of the
  concurrent system
• Detection of deadlocks.
• Detection of violations of assertions, using
  VS_assert.

14
Outline

• Introduction
• Concurrent systems Dynamic Semantics
• Existing techniques
• A state-less algorithm
• VeriSoft
• Conclusions

15
A classical search algorithm
16
About the algorithm

• Works on models
• Recursively explores all successor states
• Starts from the initial state
• Main data structures
• Set to store the states whose successors still
  have to be explored.
• Hash table to store all the states that have
  already been visited.

17
The big problem

• The algorithm assumes that each state s can be
  represented by a unique identifier, that can be
  stored in the data structures.
• In full-fledged programming languages the
  assumption isnt valid!!!

18
Outline

• Introduction
• Concurrent systems Dynamic Semantics
• Existing techniques
• A state-less algorithm
• VeriSoft
• Conclusions

19
A state-less search

• What happens if we wont store any intermediate
  states in memory?
• If the state-space contains cycles, the search
  wont terminate.
• Even state-less searches on small acyclic
  state-spaces will terminate after a large amount
  of time.

20
The dining philosophers problem, using state-less
search

• The state-space is acyclic.
• The run-time is slower than algorithm1.
• The number of transitions is much bigger.
• State-less search explores 386,816 transitions
• There are only 708 transitions in the state-space.

21
The diagram
22
An efficient algorithm
23
Comparing the 3 methods
24
Outline

• Introduction
• Concurrent systems Dynamic Semantics
• Existing techniques
• A state-less algorithm
• VeriSoft
• Conclusions

25
What is VeriSoft?

• An implementation of a state-less search using
  persistent sets and sleep sets.
• This tool systematically explores the state space
  of systems composed of several concurrent
  processes executing arbitrary C code.
• Every process is mapped to a UNIX process.

26
What is VeriSoft? cntd

• Scheduler controls the execution of the system
  processes.
• The scheduler contains an implementation of
  algorithm 2.
• VeriSoft checks deadlocks, assertion violations,
  divergences and livelocks.
• Divergence a process doesnt attempt to execute
  any visible operation.
• Livelock a process has no enabled transition.

27
Achievements

• VeriSoft is being used for analyzing the
  correctness of several implementations of
  communication protocols.
• VeriSoft successfully discovered an error in a
  2500-line concurrent C program.

28
Outline

• Introduction
• Concurrent systems Dynamic Semantics
• Existing techniques
• A state-less algorithm
• VeriSoft
• Conclusions

29
Conclusions

• A state-space is mainly used to verifying a
  model.
• When implemented on a concurrent system, the
  algorithm is inefficient.
• A state-less search relies on the assumption that
  each state has a unique identifier, thus this
  algorithm is inefficient when implemented on
  arbitrary programs.
• When implemented with state-space caching, the
  state-less search becomes very efficient and
  reliable.