Model Checking the Waste Gathering System of SMV.


114 views
Uploaded on:
Category: People / Lifestyle
Description
Model Checking the Waste Accumulation System of SMV. Cindy Eisner. IBM Research Lab in Haifa. Layout. Inspiration Preliminaries Na ï ve interpretation of C to EDL Radical reflection A down to earth application The trash accumulation system of SMV Results
Transcripts
Slide 1

Model Checking the Garbage Collection Mechanism of SMV Cindy Eisner IBM Research Laboratory in Haifa

Slide 2

Outline Motivation Preliminaries Na ï ve interpretation of C to EDL Radical reflection A reasonable application The trash gathering instrument of SMV Results False negatives and false positives Conclusion

Slide 3

Motivation Model checking equipment is “ old cap ” IBM has a modern quality model checker for equipment Software is the following boondocks Question: exactly how far would we be able to run with the current equipment model checker?

Slide 4

Preliminaries RuleBase – IBM ’ s equipment model checker VHDL/Verilog hardware plan EDL environment Sugar specification For programming: C program (mean EDL) EDL behavior of inputs Sugar specification

Slide 5

Preliminaries (EDL) EDL is a vernacular of SMV var a, b, c: boolean; dole out next(a) := b & c; characterize d := a | c;

Slide 6

Preliminaries (Sugar) Sugar is syntactic sugaring of CTL + standard expressions One sort of Sugar recipe is utilized as a part of this work: postfix suggestion Sugar: {true[*],a,b[*],c[+]}(d) CTL:  EF(a  EX E[b U E[c U (c &  d)]])

Slide 7

Preliminaries (cont.) Basic thought: device c2edl makes an interpretation of C to EDL as indicated on next slides compose properties by hand in Sugar run RuleBase – perceive how far we get

Slide 8

getmax () { int max, a; 0 a = max = 0; 1 do { 2 if (a > max) 3 max = a; 4 a = info(); 5 } while (a); 6 return(max); } next(a) = if pc=0 then 0 else if pc=4 then {0,1,2,3} else a next(max) = if pc=0 then 0 else if pc=3 then a else max next(pc) = if pc=0 then 1 else if pc=1 then 2 else if pc=2 then if a > max then 3 else 4 … Na ï ve interpretation of C to EDL

Slide 9

Na ï ve interpretation of C to EDL (cont.) Problems: Data reaches should be extremely limited Pointers Function calls, including recursion

Slide 10

f() { … if (a>b) g(); c = d; } g() { if … return; } next(pc) = if … else if pc=5 then if (a>b) then 6 else 8 else if pc=6 then 9 else if pc=7 then 8 … else if pc=11 then stack[stackp]; next(stackp) := if pc=6 then stackp+1 else if pc=11 then stackp-1 else stackp Na ï ve interpretation to EDL (capacity calls) f() { … 5 if (a>b) { 6 /*pushcall*/7 g(); } 8 c = d; } g() { 9 if ( … ) 10 … 11 return; }

Slide 11

A radical deliberation Eliminate all variables aside from: project counter limited stack Replace variable references with non-deterministic decision: if (a>b) -> if {0,1}

Slide 12

A commonsense application For most projects, the reflection of the past slide takes away a lot of Is there an application for which this methodology is viable? Yes, no less than one – the refuse gathering instrument of SMV

Slide 13

The trash accumulation system of SMV save_bdd() release_bdd() mygarbage() Example: a = save_bdd(and_bdd(b,c)); d = save_bdd(or_bdd(e,f)); mygarbage(); g = or_bdd(a,d);

Slide 14

The waste accumulation component of SMV (cont.) Dangling reference: {true[*], assign_v   call_save_bdd_v,  (assign_v  call_save_bdd_v)[*], call_mygarbage,  assign_v[*], use_v} (false) All suggestions can be communicated as a program\'s element counter

Slide 15

The rubbish accumulation system of SMV (cont.) Memory spill: {true[*], call_save_bdd_v,  call_release_bdd_v[*], assign_v} (false)

Slide 16

Results Run time of a couple of hours for every gathering of 20 variables checked No bugs found in SMV rendition r2.4.4 Eight genuine bugs found in HRL form of SMV a work in progress

Slide 17

… b = save_bdd(a); c = b; mygarbage(); d = c; … Many could be wiped out through adherence to coding traditions and/or more exact Sugar determinations False negatives

Slide 18

False positives Because profundity of stack was constrained, perhaps false positives too It is most likely conceivable to demonstrate that as a result of the degree of the non-determinism, some limited profundity is adequate

Slide 19

Conclusion Our inspiration was to perceive how valuable IBM ’ s existing model checker would be for programming Results were amazing – eight entirely refined bugs in genuine code were discovered effortlessly Currently applying equipment model checker to a dispersed project with no re

Recommended
View more...