VeriSoft

1
VeriSoft

• A Tool for the Automatic Analysis of Concurrent
  Reactive Software

Represents By Miller Ofer
2
Content

1. Motivation for using automatic tools.

• The main idea of the VeriSoft
• application.

1. Demo of simple reactive system.

3
Motivation

• What is it concurrent system ?
• Concurrent system composes of elements that can
  be operate concurrently and communicate with each
  other.
• Each component can be view as reactive system ,
  i.e ., a system that continuously interacts with
  its environment .
• Example
• Communication protocols.

4
Motivation

• Reactive systems are notably hard to test
• Traditional test are of limited help since test
  coverage is bound to be only minute of the
  possible behaviors of the system.
• Their components may interact in many unexpected
  way.
• Scenarios leading to errors are often extremely
  difficult to reproduce.

5
The VeriSoft tool

• Purposes
• Systematically exploring the state space of
  systems composed of several concurrent processes
  executing arbitrary code.

6
The VeriSoft tool

• Purposes (continuance)
• Automatically detect coordinate problems between
  concurrent processes.
• Interactive graphical simulator /debugger is
  available for following the execution of all the
  processes.

7
The VeriSoft tool

• How does its work ?
• Each process execute a sequence
  of operation that can be written by any of c
  /c program
• Process communicate with each other by performing
  operations on communication objects.
• (i.e. shared variables , semaphores , FIFO
  buffers)

s.v
Pi 1
Pi 2
8
The VeriSoft tool

• Basic definitions
• Definition operations on communication objects
  are called Visible operations , while other
  operations are by default called invisible
  operations.
• Definition execution of an operation is said to
  be blocking if it can not be completed.

9
The VeriSoft tool

• Basic definitions (continuance)
• Definition global state defined when the next
  operation to be executed by every process in the
  system is a visible operation.
• Definition transition is a visible operation
  followed by a finite sequence of invisible
  operation performed by a single process.
• Definition transition whose visible operation
  is blocking in a global state s is said to be
  disable in s. Otherwise, the transition is said
  to be enable in s.

10
The VeriSoft tool

• Basic assumptions
• Assumption only executions of visible
  operations may be blocking.
• Assumption every process in the system always
  eventually attempts to execute a visible
  operation.

11
The VeriSoft tool

• Once the execution of t from s is complete , the
  system reaches a global state s , called the
  successor of s by t .
• The state space of the concurrent system is
  compose of a global states that are reachable
  from the initial global state s0 , and of the
  transitions that are possible between these.

12
The VeriSoft tool

• The VS__toss
• In case of single open reactive system the
  environment has to be represented ,in practice
  such environment may not be available .
• VS_toss is a simplified representation for the
  environment to simulate its observable behavior.
• VS_toss takes takes as argument a positive
  integer n , and returns an integer in 0,n.
• This operation consider as a visible and
  nondeterministic and operation.

13
The VeriSoft tool

• What kind of bugs does the application find
• Deadlocks
• States where the execution of the next operation
  of every process in the system is blocking.

deadlock
14
The VeriSoft tool

• What kind of bugs does the application find
• Assertion violations
• Can be specified by the user with the special
  operation VS_assert. This operation consider as
  a visible operation.
• If the expression evaluate to false , the
  assertion is said to be violation.

15
The VeriSoft tool

• What kind of bugs does the application find
• Divergence
• Occurs when a process does not attempt to execute
  any visible operation for more than a give
  (user-specified) amount of time.
• Livelocks
• Occurs when a process has no enable transition
  during a sequence of more than a given
  (user-specified) number of successive global
  states.

16
Example

• Content
• A program of an air conditioning controller.
• An environment.
• The manual simulation mode.
• The automatic simulation mode.
• The guided simulation mode.

17
Example

First stage

• void AC_controller()
• char message
• int is_room_hot0 / initially, room is
  not hot /
• int is_door_closed1 / and door is closed /
• int ac0 / so, ac is
  off /
• while (1)
• message(char )rcv_from_queue(to_me,QSZ)
• if (strcmp(message,"room_is_hot") 0)
• is_room_hot1
• if (strcmp(message,"room_is_cool") 0)
• is_room_hot0
• if (strcmp(message,"open_door") 0)
• is_door_closed0
• ac0

Visible Operation on a communication object
18

First stage

• if ((strcmp(message,"close_door") 0))
• is_door_closed1
• if (is_room_hot)
• ac1
• / test /
• if (is_room_hot is_door_closed)
• VS_assert(ac)

Visible operation of VeriSoft
19

Second stage

• void Environment()
• char message
• message(char )malloc(100)
• while (1)
• switch(VS_toss(3))
• case 0 sprintf(message,"room_is_cool")
• break
• case 1 sprintf(message,"room_is_hot")
• break
• case 2 sprintf(message,"open_door")
• break
• case 3 sprintf(message,"close_door")
• break
• send_to_queue(from_me, QSZ, message)

Visible operation of VeriSoft
20

Third stage
Trace View this part display the operations
that are visible according to the verisoft
terminology VS_toss , VS_assert and
communication objects like send_to_queue ,
rcv_from queue.
Each process view shows the current state of
the corresponding process. A process whose next
instruction is colored in red is currently
blocked.
20
21

Third stage
The red horizontal bar indicates the current
position in this scenario.
Process 1 will be colored in blue when the
process will be the next process to be scheduled
according to the scenario being played.
Process 2 will be colored in yellow when another
process (e.g. process 1) is about to execute a
non-visible operation.
22
Forth stage

• The automatic simulate mode.
• In this mode the application explores all
  possible executions of the system that
  represented by graph called the state space of
  the system.
• By default the application performs a sort of
  breadth-first search (bfs) in the space state.
• In our case the VeriSoft application
  immediately found a scenario leading to an
  assertion violation. This error trace will be
  save in a special file named error1.path.

23
Fifth stage

• The guided simulation mode of the file
  error1.path.

24

void AC_controller() while (1)
message(char )rcv_from_queue(to_me,QSZ) if
(strcmp(message,"room_is_hot") 0)
is_room_hot1 if (strcmp(message,"room_
is_cool") 0) is_room_hot0
if (strcmp(message,"open_door") 0)
is_door_closed0 ac0 if
((strcmp(message,"close_door") 0))
is_door_closed1 if (is_room_hot)
ac1 if (is_room_hot is_door_closed)
VS_assert(ac)
Inintialization int is_room_hot0 int
is_door_closed1 int ac0