1

VeriSoft

A Tool for the Automatic Analysis of Concurrent

Reactive Software

Represents By Miller Ofer

2

Content

III. Demo of simple reactive system.

I. Motivation for using automatic tools.

II. The main idea of the VeriSoft

application.

***

3

Motivation

• What is it concurrent system ? : Concurrent system composes of elements that can be

operate concurrently and communicate with each other.Each component can be view as ‘reactive system’ , i.e .,

a system that continuously interacts with its environment .

• Example :Communication protocols.

4

Motivation

• Reactive systems are notably hard to test :Traditional test are of limited help since test

coverage is bound to be only minute of the possible behaviors of the system.

Their components may interact in many unexpected way.

Scenarios leading to errors are often extremely difficult to reproduce.

5

The VeriSoft tool

• Purposes :– Systematically exploring the state space of

systems composed of several concurrent processes executing arbitrary code.

*

6

The VeriSoft tool

• Purposes : (continuance)

– Automatically detect coordinate problems between concurrent processes.

– Interactive graphical simulator /debugger is available for following the execution of all the processes.

7

The VeriSoft tool

• How does its work ?• Each process execute a sequence of operation

that can be written by any of c /c++ program

• Process communicate with each other by performing operations on communication objects.

(i.e. shared variables , semaphores , FIFO buffers)

Ppi

Pi =1 Pi =2s.v

*

8

The VeriSoft tool

• Basic definitions: • Definition : operations on communication objects

are called Visible operations , while other operations are by default called invisible operations.

• Definition : execution of an operation is said to be blocking if it can not be completed.

9

The VeriSoft tool

• Basic definitions (continuance) :

• Definition : global state defined when the next operation to be executed by every process in the system is a visible operation.

• Definition : transition is a visible operation followed by a finite sequence of invisible operation performed by a single process.

• Definition : transition whose visible operation is blocking in a global state s is said to be disable in s. Otherwise, the transition is said to be enable in s.

10

The VeriSoft tool

• Basic assumptions :

• Assumption : only executions of visible operations may be blocking.

• Assumption : every process in the system always eventually attempts to execute a visible operation.

11

The VeriSoft tool

• Once the execution of t from s is complete , the system reaches a global state s` , called the successor of s by t .

• The state space of the concurrent system is compose of a global states that are reachable from the initial global state s0 , and of the transitions that are possible between these.

12

The VeriSoft tool

• The “VS__toss” In case of single “open” reactive system the environment

has to be represented ,in practice such environment may not be available .

VS_toss is a simplified representation for the environment to simulate its observable behavior.

VS_toss takes takes as argument a positive integer n , and returns an integer in [0,n].

This operation consider as a visible and nondeterministic and operation.

13

The VeriSoft tool• What kind of bugs does the application

find :• Deadlocks

States where the execution of the next operation of every process in the system is blocking. deadlock

**

14

The VeriSoft tool

• What kind of bugs does the application find :

• Assertion violationsCan be specified by the user with the special operation

“VS_assert”. This operation consider as a visible operation.

If the expression evaluate to false , the assertion is said to be violation.

15

The VeriSoft tool

• What kind of bugs does the application find :

• DivergenceOccurs when a process does not attempt to execute any

visible operation for more than a give (user-specified) amount of time.

• LivelocksOccurs when a process has no enable transition during a

sequence of more than a given (user-specified) number of successive global states.

16

Example

• ContentA program of an air conditioning controller.An environment.

The manual simulation mode.The automatic simulation mode.The guided simulation mode.

17

Examplevoid AC_controller(){ char *message; int is_room_hot=0; /* initially, room is not hot */ int is_door_closed=1; /* and door is closed */ int ac=0; /* so, ac is off */ while (1) { message=(char *)rcv_from_queue(to_me,QSZ); if (strcmp(message,"room_is_hot") == 0) { is_room_hot=1; }; if (strcmp(message,"room_is_cool") == 0) { is_room_hot=0; }; if (strcmp(message,"open_door") == 0) { is_door_closed=0; ac=0; };

First stage

Visible Operation on a communication object

*

18

if ((strcmp(message,"close_door") == 0)){

is_door_closed=1;

if (is_room_hot)

ac=1; };

/* test */

if (is_room_hot && is_door_closed)

VS_assert(ac);

};

* First stage

Visible operation of ‘VeriSoft’

19

void Environment(){ char *message; message=(char *)malloc(100); while (1) { switch(VS_toss(3)) { case 0: sprintf(message,"room_is_cool"); break; case 1: sprintf(message,"room_is_hot"); break; case 2: sprintf(message,"open_door"); break; case 3: sprintf(message,"close_door"); break; }; send_to_queue(from_me, QSZ, message);};}

* Second stage

Visible operation of ‘VeriSoft’

20

Third stage

Trace View : this part display the operations that are visible according to the verisoft terminology: “VS_toss” , “VS_assert” and communication objects like : “send_to_queue” , “rcv_from queue”.

***

Each “process view” shows the current state of the corresponding process. A process whose next instruction is colored in red is currently blocked.

20

21

Third stage

The red horizontal bar indicates the current position in this scenario.

Process 1 will be colored in blue when the process will be the next process to be scheduled according to the scenario being played.

Process 2 will be colored in yellow when another process (e.g. process 1) is about to execute a non-visible operation.

***

22

Forth stage

• The automatic simulate mode. In this mode the application explores all possible

executions of the system that represented by graph called the “state space” of the system.

By default the application performs a sort of breadth-first search (bfs) in the space state.

In our case the ‘VeriSoft’ application immediately found a scenario leading to an assertion violation. This error trace will be save in a special file named “error1.path”.

23

Fifth stage

•The guided simulation mode of the file “error1.path”.

24

void AC_controller(){while (1) { message=(char *)rcv_from_queue(to_me,QSZ); if (strcmp(message,"room_is_hot") == 0) { is_room_hot=1; }; if (strcmp(message,"room_is_cool") == 0) { is_room_hot=0; }; if (strcmp(message,"open_door") == 0) { is_door_closed=0; ac=0; };

if ((strcmp(message,"close_door") == 0)){

is_door_closed=1;

if (is_room_hot)

ac=1; };

if (is_room_hot && is_door_closed)

VS_assert(ac); };

Inintialization

int is_room_hot=0;

int is_door_closed=1;

int ac=0;

*