Model Checking Software Using The Bogor Framework

1
Model Checking Software Using The Bogor Framework
SAnToS Laboratory, Kansas State University, USA
http//bogor.projects.cis.ksu.edu
Matthew B. Dwyer
John Hatcliff
Robby
Session I Bogor Overview
Support
Boeing Honeywell Technology Center IBM Intel
US Army Research Office (ARO) US National Science
Foundation (NSF) US Department of Defense
Advanced Research Projects Agency (DARPA)
Lockheed Martin NASA Langley Rockwell-Collins
ATC Sun Microsystems
2
Research Context
SAnToS Laboratory, Kansas State
University http//www.cis.ksu.edu/santos

• Aiming for robust tools
• open source, commercial quality (or close to it)
• Trying to build on lessons learned
• working on next generation of Bandera, etc.
• Integration into development process
• ease of use and scalability sometimes take
  precedence over theoretical elegance
• most of the time, focus is on bug-finding rather
  than true verification

3
Research Context -- Bogor

• Supporting model-checking of OO software (Java,
  in particular)
• Open platform for research/experimentation
• take your favorite new idea, implement it in
  Bogor to try it out
• Teaching tool
• foundation of a tool/application-oriented course
  on model-checking
• some material already available much more on the
  way

4
Goals of This Tutorial

• Introduction to the primary features/functions of
  Bogor
• Introduction to the Bogor APIs that will allow
  you to easily modify Bogor or to add new
  functionality
• requires some effort to learn
• but a number of people have already implemented
  Bogor extension
• Overview of some of the more sophisticated
  reduction algorithms of Bogor
• Get feedback from you as to what features/support
  you might to have in Bogor that would make it
  more useful for you

5
Bogor
6
Bogor Software Model Checking Framework
7
Bogor Direct support for OO software
Extensive support for checking concurrent OO
software
Software targeted algorithms
Direct support for

• unbounded dynamic creation of threads and objects
• automatic memory management (garbage collection)
• virtual methods,
• , exceptions, etc.
• supports virtually all of Java

• thread heap symmetry
• compact state representation
• partial order reduction techniques driven by
• object escape analysis
• locking information

8
Bogor Domain Specific Model-Checking
Modeling language and Algorithms easily
customized to different domains
9
System Modeling Problem Variety of Application
Domains
10
Leveraging Domain Knowledge

• Holzmann developed a customized model extraction
  from C to Spin
• Translation using pattern matching of particular
  domain idioms
• In essence, an abstract machine for a particular
  domain
• Very effective at finding subtle defects

Lucent Path Star Telephone Switch
11
System Modeling Problem Variety of System
Descriptions
Different levels of abstraction!
12
The Goal
13
The Goal
Device Drivers
Source code
Model-checking Engine
14
The Goal
Automotive
Design Notations
Model-checking Engine
15
Customization Mechanisms
Domain-Specific Scheduler
Domain-Specific Search
Domain-Specific State Rep.
16
Outline
Overview
17
Bogor Modeling Language BIR
BIR Bandera Intermediate Representation

• Used as the intermediate language for the Bandera
  Tool Set for model-checking Java programs
• Guarded command language
• when ltconditiongt do ltcommandgt
• Native support for a variety of object-oriented
  language features
• dynamically created objects and threads,
  exceptions, methods, inheritance, etc.

18
An Example 2 Dining Philosophers
right
left
right
left
19
A BIR Example 2 Dining Philosophers

• system TwoDiningPhilosophers
• record Fork boolean isHeld
• main thread MAIN()
• Fork fork1
• Fork fork2
• loc loc0
• do
• // create forks
• fork1 new Fork
• fork2 new Fork
• // start philosophers
• start Phil(fork1, fork2)
• start Phil(fork2, fork1)
• return

thread Phil(Fork left, Fork right) loc
loc0 // take left fork when !left.isHeld
do left.isHeld true goto
loc1 loc loc1 // take right fork
when !right.isHeld do right.isHeld
true goto loc2 loc loc2 // put
right fork do right.isHeld false
goto loc3 loc loc3 // put left fork
do left.isHeld false goto loc0

20
A BIR Example 2 Dining Philosophers

• system TwoDiningPhilosophers
• record Fork boolean isHeld
• main thread MAIN()
• Fork fork1
• Fork fork2
• loc loc0
• do
• // create forks
• fork1 new Fork
• fork2 new Fork
• // start philosophers
• start Phil(fork1, fork2)
• start Phil(fork2, fork1)
• return

Uses a record to model forks
thread Phil(Fork left, Fork right) loc
loc0 // take left fork when !left.isHeld
do left.isHeld true goto
loc1 loc loc1 // take right fork
when !right.isHeld do right.isHeld
true goto loc2 loc loc2 // put
right fork do right.isHeld false
goto loc3 loc loc3 // put left fork
do left.isHeld false goto loc0

21
A BIR Example 2 Dining Philosophers
Thread declarations

• system TwoDiningPhilosophers
• record Fork boolean isHeld
• main thread MAIN()
• Fork fork1
• Fork fork2
• loc loc0
• do
• // create forks
• fork1 new Fork
• fork2 new Fork
• // start philosophers
• start Phil(fork1, fork2)
• start Phil(fork2, fork1)
• return

thread Phil(Fork left, Fork right) loc
loc0 // take left fork when !left.isHeld
do left.isHeld true goto
loc1 loc loc1 // take right fork
when !right.isHeld do right.isHeld
true goto loc2 loc loc2 // put
right fork do right.isHeld false
goto loc3 loc loc3 // put left fork
do left.isHeld false goto loc0

22
A BIR Example 2 Dining Philosophers

• system TwoDiningPhilosophers
• record Fork boolean isHeld
• main thread MAIN()
• Fork fork1
• Fork fork2
• loc loc0
• do
• // create forks
• fork1 new Fork
• fork2 new Fork
• // start philosophers
• start Phil(fork1, fork2)
• start Phil(fork2, fork1)
• return

23
A BIR Example 2 Dining Philosophers

• system TwoDiningPhilosophers
• record Fork boolean isHeld
• main thread MAIN()
• Fork fork1
• Fork fork2
• loc loc0
• do
• // create forks
• fork1 new Fork
• fork2 new Fork
• // start philosophers
• start Phil(fork1, fork2)
• start Phil(fork2, fork1)
• return

24
A BIR Example 2 Dining Philosophers
aka guarded transitions, guarded commands
Guarded transformations
thread Phil(Fork left, Fork right) loc
loc0 // take left fork when !left.isHeld
do left.isHeld true goto
loc1 loc loc1 // take right fork
when !right.isHeld do right.isHeld
true goto loc2 loc loc2 // put
right fork do right.isHeld false
goto loc3 loc loc3 // put left fork
do left.isHeld false goto loc0

25
A BIR Example 2 Dining Philosophers

• Demo
• Bogor BIR Editor
• syntax highlighting
• well-formed-ness checker
• Bogor Counter-example Display
• states and transitions navigation
• heap visualization
• BIR Session Wizard
• creating new sessions
• configuring Bogor

26
Bogor Online Resources

• Project websitehttp//bogor.projects.cis.ksu.edu/
  
• Bogor User Manualhttp//bogor.projects.cis.ksu.ed
  u/manual
• Distribution Licensing
• Freely downloadable from the Bogor project
  website
• registration is required
• Cannot redistribute the Bogor package, but you
  can redistribute Bogor extensions

27
Outline
Overview
28
Modeling Java Programs
Java classes and methods
29
Modeling Java Programs
Additional BIR identifiers
(), /\, \/, , and are all BIR
identifiers used to avoid name clashes
30
Modeling Java Programs
records are used to model Java classes
(inheritance)
Records for Java classes
31
Modeling Java Programs
static fields are modeled as global variables
Static fields
32
Modeling Java Programs
Java methods are modeled as functions
Java methods as functions
33
Modeling Java Programs
Dynamic dispatch of methods
Virtual tables are used to resolve dynamic
dispatch of methods
34
Modeling Java Programs
Dynamic dispatch of methods
35
Modeling Java Programs
Dynamic dispatch of methods
BIR function invocations models Java
method invocations (static, special, virtual, or
interface)
36
Modeling Java Programs
Exceptions
37
Outline
Overview
38
BIR Functional Sub-language

• Motivation
• wants to allow complex queries of states while
  guaranteeing purity
• very useful for specification purposes
• Syntax and semantics
• similar to other functional languages (SML, etc.)
• currently only support first-order function

39
BIR Functional Sub-language
40
Assessment

• BIR provides features commonly found in modern
  programming languages
• Dynamic creation of objects and threads,
  automatic memory management, etc.
• Java-to-BIR translator
• Uses the Soot framework from Sable Research at
  McGill University
• Documenthttp//projects.cis.ksu.edu/docman/?grou
  p_id10

41
BIR Extensible Modeling Language

• Motivation
• variety of application domains and system level
  descriptions often work at different level of
  abstractions
• want to be able to bridge the gap between system
  descriptions and BIR with ease
• can be extended on-demand basis
• minimize changes of Bogor components
• parser/lexer, symbol table, AST, type system,
  etc.

42
BIR Extensions
BIR allows introduction of new abstract types and
operations
wait till next session!