240 likes | 396 Vues
VeriSoft. A Tool for the Automatic Analysis of Concurrent Reactive Software. Represents By Miller Ofer. ***. Content. Demo of simple reactive system. Motivation for using automatic tools. The main idea of the VeriSoft application. Motivation. What is it concurrent system ? :
E N D
VeriSoft A Tool for the Automatic Analysis of Concurrent Reactive Software Represents By Miller Ofer
*** Content • Demo of simple reactive system. • Motivation for using automatic tools. • The main idea of the VeriSoft application.
Motivation • What is it concurrent system ? : • Concurrent system composes of elements that can be operate concurrently and communicate with each other. • Each component can be view as ‘reactive system’ , i.e ., a system that continuously interacts with its environment . • Example : • Communication protocols.
Motivation • Reactive systems are notably hard to test : • Traditional test are of limited help since test coverage is bound to be only minute of the possible behaviors of the system. • Their components may interact in many unexpected way. • Scenarios leading to errors are often extremely difficult to reproduce.
* The VeriSoft tool • Purposes : • Systematically exploring the state space of systems composed of several concurrent processes executing arbitrary code.
The VeriSoft tool • Purposes : (continuance) • Automatically detect coordinate problems between concurrent processes. • Interactive graphical simulator /debugger is available for following the execution of all the processes.
* The VeriSoft tool • How does its work ? • Each process execute a sequence of operation that can be written by any of c /c++ program • Process communicate with each other by performing operations on communication objects. (i.e. shared variables , semaphores , FIFO buffers) s.v Pi =1 Pi =2
The VeriSoft tool • Basic definitions: • Definition : operations on communication objects are called Visible operations , while other operations are by default called invisibleoperations. • Definition : execution of an operation is said to be blocking if it can not be completed.
The VeriSoft tool • Basic definitions (continuance) : • Definition : global state defined when the next operation to be executed by every process in the system is a visible operation. • Definition :transitionis a visible operation followed by a finite sequence of invisible operation performed by a single process. • Definition : transition whose visible operation is blocking in a global state s is said to be disable in s. Otherwise, the transition is said to be enable in s.
The VeriSoft tool • Basic assumptions : • Assumption : only executions of visible operations may be blocking. • Assumption : every process in the system always eventually attempts to execute a visible operation.
The VeriSoft tool • Once the execution of t from s is complete , the system reaches a global state s` , called the successor of s by t . • The state space of the concurrent system is compose of a global states that are reachable from the initial global state s0 , and of the transitions that are possible between these.
The VeriSoft tool • The “VS__toss” • In case of single “open” reactive system the environment has to be represented ,in practice such environment may not be available . • VS_toss is a simplified representation for the environment to simulate its observable behavior. • VS_toss takes takes as argument a positive integer n , and returns an integer in [0,n]. • This operation consider as a visible and nondeterministic and operation.
** The VeriSoft tool • What kind of bugs does the application find : • Deadlocks • States where the execution of the next operation of every process in the system is blocking. deadlock
The VeriSoft tool • What kind of bugs does the application find : • Assertion violations • Can be specified by the user with the special operation “VS_assert”. This operation consider as a visible operation. • If the expression evaluate to false , the assertion is said to be violation.
The VeriSoft tool • What kind of bugs does the application find : • Divergence • Occurs when a process does not attempt to execute any visible operation for more than a give (user-specified) amount of time. • Livelocks • Occurs when a process has no enable transition during a sequence of more than a given (user-specified) number of successive global states.
Example • Content • A program of an air conditioning controller. • An environment. • The manual simulation mode. • The automatic simulation mode. • The guided simulation mode.
* First stage Example void AC_controller() { char *message; int is_room_hot=0; /* initially, room is not hot */ int is_door_closed=1; /* and door is closed */ int ac=0; /* so, ac is off */ while (1) { message=(char *)rcv_from_queue(to_me,QSZ); if (strcmp(message,"room_is_hot") == 0) { is_room_hot=1; }; if (strcmp(message,"room_is_cool") == 0) { is_room_hot=0; }; if (strcmp(message,"open_door") == 0) { is_door_closed=0; ac=0; }; Visible Operation on a communication object
* First stage if ((strcmp(message,"close_door") == 0)){ is_door_closed=1; if (is_room_hot) ac=1; }; /* test */ if (is_room_hot && is_door_closed) VS_assert(ac); }; Visible operation of ‘VeriSoft’
* Second stage void Environment() { char *message; message=(char *)malloc(100); while (1) { switch(VS_toss(3)) { case 0: sprintf(message,"room_is_cool"); break; case 1: sprintf(message,"room_is_hot"); break; case 2: sprintf(message,"open_door"); break; case 3: sprintf(message,"close_door"); break; }; send_to_queue(from_me, QSZ, message); }; } Visible operation of ‘VeriSoft’
*** Third stage Trace View : this part display the operations that are visible according to the verisoft terminology: “VS_toss” , “VS_assert” and communication objects like : “send_to_queue” , “rcv_from queue”. Each “process view” shows the current state of the corresponding process. A process whose next instruction is colored in red is currently blocked. 20
*** Third stage The red horizontal bar indicates the current position in this scenario. Process 1 will be colored in blue when the process will be the next process to be scheduled according to the scenario being played. Process 2 will be colored in yellow when another process (e.g. process 1) is about to execute a non-visible operation.
Forth stage • The automatic simulate mode. • In this mode the application explores all possible executions of the system that represented by graph called the “state space” of the system. • By default the application performs a sort of breadth-first search (bfs) in the space state. • In our case the ‘VeriSoft’ application immediately found a scenario leading to an assertion violation. This error trace will be save in a special file named “error1.path”.
Fifth stage The guided simulation mode of the file “error1.path”.
* void AC_controller() { while (1) { message=(char *)rcv_from_queue(to_me,QSZ); if (strcmp(message,"room_is_hot") == 0) { is_room_hot=1; }; if (strcmp(message,"room_is_cool") == 0) { is_room_hot=0; }; if (strcmp(message,"open_door") == 0) { is_door_closed=0; ac=0; }; if ((strcmp(message,"close_door") == 0)){ is_door_closed=1; if (is_room_hot) ac=1; }; if (is_room_hot && is_door_closed) VS_assert(ac); }; Inintialization int is_room_hot=0; int is_door_closed=1; int ac=0;