George S. Avrunin

Property specification patterns for finite-state verification

Finite-state verification (e.g., model checking) provides a powerful means to detect errors that are often subtle and difficult to reproduce. Nevertheless, the transition of this technology from research to practice has been slow. While there are a number of potential causes for reluctance in adopting such formal methods in practice, we believe that a primary cause rests with the fact that practitioners are unfamiliar with specification processes, notations, and strategies. Recent years have seen growing success in leveraging experience with design and coding patterns. We propose a pattern-based approach to the presentation, codification and reuse of property specifications for finite-state verification.

Automated analysis of concurrent systems with the constrained expression toolset

The constrained expression approach to analysis of concurrent software systems can be used with a variety of design and programming languages and does not require a complete enumeration of the set of reachable states of the concurrent system. The construction of a toolset automating the main constrained expression analysis techniques and the results of experiments with that toolset are reported. The toolset is capable of carrying out completely automated analyses of a variety of concurrent systems, starting from source code in an Ada-like design language and producing system traces displaying the properties represented bv the analysts queries. The strengths and weaknesses of the toolset and the approach are assessed on both theoretical and empirical grounds. >

An efficient algorithm for computing MHP information for concurrent Java programs

Information about which statements in a concurrent program may happen in parallel (MHP) has a number of important applications. It can be used in program optimization, debugging, program understanding tools, improving the accuracy of data flow approaches, and detecting synchronization anomalies, such as data races. In this paper we propose a data flow algorithm for computing a conservative estimate of the MHP information for Java programs that has a worst-case time bound that is cubic in the size of the program. We present a preliminary experimental comparison between our algorithm and a reachability analysis algorithm that determines the “ideal” static MHP information for concurrent Java programs. This initial experiment indicates that our data flow algorithm precisely computed the ideal MHP information in the vast majority of cases we examined. In the two out of 29 cases where the MHP algorithm turned out to be less than ideally precise, the number of spurious pairs was small compared to the total number of ideal MHP pairs.

A conservative data flow algorithm for detecting all pairs of statements that may happen in parallel

Information about which pairs of statements in a concurrent program can execute in parallel is important for optimizing and debugging programs, for detecting anomalies, and for improving the accuracy of data flow analysis. In this paper, we describe a new data flow algorithm that finds a conservative approximation of the set of all such pairs. We have carried out an initial comparison of the precision of our algorithm and that of the most precise of the earlier approaches, Masticola and Ryders non-concurrency analysis [8], using a sample of 159 concurrent Ada programs that includes the collection assembled by Masticola and Ryder. For these examples, our algorithm was almost always more precise than non-concurrency analysis, in the sense that the set of pairs identified by our algorithm as possibly happening in parallel is a proper subset of the set identified by non-concurrency analysis. In 132 cases, we were able to use reachability analysis to determine exactly the set of pairs of statements that may happen in parallel. For these cases, there were a total of only 10 pairs identified by our algorithm that cannot actually happen in parallel.

Quillen Stratification for Modules

Let G be a finite group and k a fixed algebraically closed field of characteristic p>O. If p is odd, let H, be the subring of H*(G, k) consisting of elements of even degree; following [20-221 we take H, = H*(G, k) if p=2, though one could just as well use the subring of elements of even degree for all p. H, is a finitely generated commutative k-algebra [13], and we let V, denote its associated affine variety Max H,. If M is any finitely generated kG-module, then the cohomology variety V,(M) of M may be defined as the support in V, of the H,-module H*(G, M) if G is a p-group, and in general as the largest support of H*(G, L@ M), where L is any kG-module [4, 91. A module L with each irreducible kc-module as a direct summand will serve. D. Quillen [20-221 proved a number of beautiful results relating k;; to the varieties V, associated with the various elementary abelian p-subgroups E of G, culminating in his stratification theorem [20, 221. This theorem gives a piecewise description of V, almost explicitly in terms of the subgroups E and their normalizers in G. A well-known corollary is that dim V, =max dim V,, where E

Using integer programming to verify general safety and liveness properties

Analysis of concurrent systems is plagued by the state explosion problem. We describe an analysis technique that uses necessary conditions, in the form of linear inequalities, to verify certain properties of concurrent systems, thus avoiding the enumeration of the potentially explosive number of reachable states of the system. This technique has been shown to be capable of verifying simple safety properties, like freedom from deadlock, that can be expressed in terms of the number of certain events occurring in a finite execution, and has been successfully used to analyze a variety of concurrent software systems. In this paper, we extend the technique to the verification of more complex safety properties that involve the order of events and to the verification of liveness properties, which involve infinite executions.

Using model checking with symbolic execution to verify parallel numerical programs

We present a method to verify the correctness of parallel programs that perform complex numerical computations, including computations involving floating-point arithmetic. The method requires that a sequential version of the program be provided, to serve as the specification for the parallel one. The key idea is to use model checking, together with symbolic execution, to establish the equivalence of the two programs.

Data flow analysis for checking properties of concurrent Java programs

In this paper we show how the FLAVERS data flow analysis technique, originally formulated for systems using a rendezvous concurrency model, can be applied to the various concurrency models used in Java programs. The general approach of FLAVERS is based on modeling a concurrent system as a flow graph and, using a data flow analysis algorithm over this graph, statically checking if a property holds on all (or no) executions of the program. The accuracy of this analysis can be iteratively improved, as needed, by supplying additional constraints, represented as finite state automata, to the data flow analysis algorithm. In this paper we present an approach for analyzing Java programs that uses the constraint mechanism to model the possible communications among threads in Java programs, instead of representing them directly in the flow graph model. We also discuss a number of error-prone thread communication patterns that can arise in Java and describe how FLAVERS can be used to check for the presence of these. A preliminary evaluation of this approach is carried out by analyzing some small concurrent Java programs for these error-prone communication patterns and other, program-specific, faults.

Breaking up is hard to do: An evaluation of automated assume-guarantee reasoning

Finite-state verification techniques are often hampered by the state-explosion problem. One proposed approach for addressing this problem is assume-guarantee reasoning, where a system under analysis is partitioned into subsystems and these subsystems are analyzed individually. By composing the results of these analyses, it can be determined whether or not the system satisfies a property. Because each subsystem is smaller than the whole system, analyzing each subsystem individually may reduce the overall cost of verification. Often the behavior of a subsystem is dependent on the subsystems with which it interacts, and thus it is usually necessary to provide assumptions about the environment in which a subsystem executes. Because developing assumptions has been a difficult manual task, the evaluation of assume-guarantee reasoning has been limited. Using recent advances for automatically generating assumptions, we undertook a study to determine if assume-guarantee reasoning provides an advantage over monolithic verification. In this study, we considered all two-way decompositions for a set of systems and properties, using two different verifiers, FLAVERS and LTSA. By increasing the number of repeated tasks in these systems, we evaluated the decompositions as they were scaled. We found that in only a few cases can assume-guarantee reasoning verify properties on larger systems than monolithic verification can, and in these cases the systems that can be analyzed are only a few sizes larger. Although these results are discouraging, they provide insight about research directions that should be pursued and highlight the importance of experimental evaluation in this area.

Applying static analysis to software architectures

In this paper we demonstrate how static concurrency analysis techniques can be used to verify application-specific properties of an architecture description. Specifically, we use two concurrency analysis tools, INCA, a flow equation based tool, and FLAVERS, a data flow analysis based tool, to detect errors or prove properties of a WRIGHT architecture description of the gas station problem. Although both these tools are research prototypes, they illustrate the potential of static analysis for verifying that architecture descriptions adhere to important properties, for detecting problems early in the lifecycle, and for helping developers understand the changes that need to be made to satisfy the properties being analyzed.