1 / 20

Verifying Component Substitutability

Verifying Component Substitutability. Nishant Sinha Edmund Clarke Natasha Sharygina Sagar Chaki Carnegie Mellon University. P. Substitutability Check. Assembly A. ?. Component C. Component C’. Motivation. Component-based Software Software modules shipped by separate developers

gabby
Download Presentation

Verifying Component Substitutability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Verifying Component Substitutability Nishant Sinha Edmund Clarke Natasha Sharygina Sagar Chaki Carnegie Mellon University

  2. P Substitutability Check Assembly A ? Component C Component C’

  3. Motivation • Component-based Software • Software modules shipped by separate developers • An assembly consists of several components • Undergo several updates/bug-fixes during their lifecycle • Component assembly verification • Necessary on update of any component • High verification costs of global properties • Instead check for substitutability of new component

  4. Substitutability Check • Given old and new components C, C’ and assembly A • Check if C’ is substitutable for C in A • Two phases: • Containment check • All interface behaviors of the previous component contained in new one • Compatibility check • Safety with respect to other components in assembly: all global specifications satisfied • Formulation • Obtain a finite interface behavioral model of all components by abstraction: labeled kripke structures • Use regular language inference in combination with a model checker

  5. Predicate Abstraction into LKS • Labeled Kripke Structures • <Q,,T,P,L> • Composition semantics • Synchronize on shared actions • Represents abstractions • State-event traces • <p,,q,, ....> p   q  !q !p

  6. lock=1 if (x < y) if (x < y) x >= y   L2 lock = 0 if (x >= y) if (x >= y) x < y x >= y   L3 lock = 0 Predicate Abstraction into LKS L1 void OSSemPend(…) { L1: lock = 1; if (x < y) { L2: lock = 0; … } if (x >= y) { … L3: lock = 0; … } else { … } } lock=1 x < y

  7. C1 C2 C3 Component C Predicate Abstraction M1 M2 M3 Component LKS M Component Interface LKS • Component • A set of communicating concurrent C programs or libraries • No recursion, inlined procedures • Abstracted into a Component Interface LKS • Communication between components is abstracted into interface actions • Interface LKS contains only interface actions

  8. a a Yes/No b b ±Counterexample/ Yes Unknown Regular Language Learning Regular languages: L* • Forms the basis of containment and compatibility checks • L* proposed by D. Angluin • Learning regular sets from queries and counterexamples, Information and Computation, 75(2), 1987. • Polynomial in the number of states and length of counterexample Minimally adequate Teacher L* learner IsMember( trace  ) IsCandidate( DFA D ) Modelchecker Minimum DFA

  9. Containment • Goal: • Learn useful behaviors from previous component into the new one • Given Component LKSs: M, M’ and Bug LKS B • Unknown U = L(M’) [ (L(M)n L(B)) • Iteratively learn the DFA SM’i using L* • Modelchecker • IsMember Query: 2 U • IsCandidate Query: U ´ L(SM’i) B M’ M

  10. Modelchecker New Component LKS M’ Old Component LKS M + Bug LKS Containment (contd.) IsMember Query: 2 U IsCandidate Query: U ´ L(SM’i) L* Learner SM’

  11. Containment (contd.) • In contrast to known Refinement-based approaches • Containment allows adding new behaviors in M’ e.g. M, M’ have different interleavings of same interface actions • Erroneous new behavior detected in Compatibility check • Finally SM’ • substitutable candidate • may not be safe with respect to other components • must verify the global behavioral specifications

  12. Compatibility check • Assume-guarantee to verify assembly properties • Similar to approach by Cobleigh et. al. at NASA Ames R1: M1 || A ² P R2: M2² A M1 || M2² P • Generate a (smaller) environment assumption A • A:most general environment so that P holds • Constructed iteratively using L* and R1, R2

  13. Compatibility check -CE for Ai R1: M1 || Ai² P L* Assumption Generation Ai true true R2: M2²Ai true CE Analysis True CE M1 || 2 P CE  False CE +CE for Ai

  14. Compatibility check (contd.) • Generate a most general assumption for SM’ • M1 = SM’ • M2 = Mn M (all other component LKSs) • Membership queries: • SM’ || µ P • Candidate queries: • SM’ || A µ P • M2µ A • CE analysis: SM’ || CE µ P • Yes) False CE • No)True CE

  15. CEGAR • Compatibility check infers • Either SM’ is substitutable • Or counterexample CE • CE may be spurious wrt C, C’ • CE is present in component LKS M or M’ • Must refine M, M’ • Repeat substitutability check

  16. Predicate Abstraction B M M’ M n M Containment U ´ L(SM’i) L* SM’ Compatibility SM’ || A ² P M n M ² A refine M, M’ spurious? Provide SM’ to developer false true SM’ not substitutable, CE provided CE C C’ An C

  17. Feedback to the Developer • If SM’ is substitutable • LKS showing how SM’ differs from M’ • If SM’ is not substitutable • counterexample showing the erroneous behavior in M’

  18. Related Work • Learning Assumptions: Cobleigh. et. al. • Do not consider state labeling of abstract models • Do not incorporate a CEGAR framework for AG • Compatibility of Component Upgrades: Ernst et. al. • Do not consider temporal sequence of actions in generating invariants • Interface Automata: Henzinger et. al. • Do not have CEGAR, AG • No procedure for computing interface automata

  19. Experiments • Prototype implementation in MAGIC framework • Inter-process communication component assembly • modified WriteMessageToQueue component • checked for substitutability inside the assembly of four components (read, write, queue, cs)

  20. Future Work • Domain-specific learning • Algorithm for learning LKSs directly • Learning -regular languages • Simulation check instead of trace containment • Generation of source code/ statecharts • Learning of Context Free Languages

More Related