Proving Correctness of Threaded Parallel Executable Code Generated from Models Described by a Domain Specific Language
Total Page:16
File Type:pdf, Size:1020Kb
Eindhoven University of Technology MASTER Proving correctness of threaded parallel executable code generated from models described by a domain specific language Roede, S. Award date: 2012 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computer Science Proving correctness of threaded parallel executable code generated from models described by a Domain Specific Language By S. Roede Supervisor & tutor Dr. R. Kuiper (TU/e) Ir. J.M.A.M Gabriels (TU/e) Eindhoven, July 2012 Computer Science and Engineering, Eindhoven University of Technology Master thesis Proving correctness of threaded parallel executable code generated from models described by a Domain Specific Language Author: Graduation supervisor: dr. Ruurd Kuiper ing. Sybren Roede Graduation tutor: [email protected] ir. Joost M.A.M Gabriels July 7, 2012 Preface This thesis was written in partial fulfilment of the requirements for graduation in a master degree in computing science at the Eindhoven University of Technology. This graduation project was done in the area of Software Technology for the research group Software Engineering Technology. The author would like to give a special thanks to my graduation supervisor Ruurd and my gradu- ation tutor Joost. They provided an excellent job in supervising the research work and correcting the thesis. During the process they made useful critical remarks and give valuable suggestions to strengthen the work. They made my graduation project a joyful process and learningful experi- ence. I want to thanks K. Rustan M. Leino of the Research in Software Engineering (RiSE) group at Microsoft Research. In an early stage of my graduation project he give me the change to use his expertise in the field of formal verification. My deep thanks go to Bart Jacobs of the Department of Computer Science of the Katholieke Universiteit Leuven, Belgium. The time he spend on me and the opportunity to learn from him is greatly appreciated. The verification in VeriFast could not been done without his guidance. The two afternoons in Leuven where very helpful and a great experience. The strong support and love of my friends and family is a blessing during my study. I am especially grateful to my family and lovely girlfriend who were tireless in motivating and supporting me to finish my master degree. 2 Abstract We investigate correctness of threaded parallel executable code generated from models described by a Domain Specific Language (DSL). There are challenges in developing correct multi-threaded code. Model Driven Engineering (MDE) is a promising approach: the mod- eling can be done at a high abstraction level and with a chain of model transformations the implementation code is generated. During my Capita Selecta, I made a realization of the code generation step of a particular MDE-chain, the transformation of state-machine like SLCO models into multi-threaded C# code. In the generation process, use of and inheritance from multi-threaded generic code was applied. The goal of the present research is to investigate formal specification and verification of the generic code. This was done by first making a small overview of available tools and selection of the best suited tool for the verification. After that, we performed a parameterized verification with VeriFast on an essential, non-trivial part of the framework. Finally we reflect on the lessons learned. 3 Contents 1 Introduction 6 1.1 Capita Selecta project . .6 1.2 Goals and approach . .7 1.2.1 Approach . .7 1.3 Overview . .8 2 Preliminaries 9 2.1 SLCO . .9 2.1.1 State machine . .9 2.1.2 Language constructs . .9 2.2 Toosm........................................... 12 2.2.1 Logging and state space . 17 3 Verification techniques 19 3.1 Hoare Logic . 19 3.2 Owicki and Gries . 20 3.3 Rely/guarantee . 20 3.4 Separation logic . 21 4 Verification tools 23 4.1 Tool introductions . 23 4.1.1 Spec# . 23 4.1.2 Code Contracts . 24 4.1.3 Dafny . 24 4.1.4 Chalice . 25 4.1.5 VeriFast . 25 4.1.6 ProPar . 26 4.2 Tool selection . 27 4.2.1 Spec# . 27 4.2.2 Code Contracts . 29 4.2.3 Dafny . 31 4.2.4 Chalice . 31 4.2.5 VeriFast . 32 4.2.6 ProPar . 33 4.3 Conclusions . 33 5 A closer look at Separation Logic 35 5.1 Basics . 35 5.2 Variables as resource . 36 5.3 Concurrency . 36 5.4 Semaphores . 37 5.5 Permissions . 38 5.6 Further reading . 39 6 A closer look at VeriFast 40 6.1 VeriFast features . 40 6.2 VeriFast IDE . 41 6.3 Verification example . 42 7 Verification of the communication channels 46 7.1 Abstraction . 46 7.2 Communication Channel . 47 7.2.1 Channel specifications . 47 4 7.2.2 Channel VeriFast specifications . 49 7.2.3 Channel VeriFast annotation . 51 7.3 Communication channel client ready . 53 7.3.1 Channel specifications . 54 7.3.2 Channel VeriFast specifications . 54 7.3.3 Channel VeriFast annotations . 57 7.4 Client program . 58 7.4.1 Client specification . 59 7.4.2 Client VeriFast specification . 59 7.4.3 Client VeriFast annotation . 63 7.5 Client program with multiple senders and receivers . 66 7.5.1 Client specification . 66 7.5.2 Client VeriFast specification . 66 7.5.3 VeriFast client annotation . 69 7.6 Client program with multiple senders and receivers and richer specifications . 72 7.6.1 Client specification . 72 7.6.2 Client VeriFast specification . 73 7.6.3 Client VeriFast annotation . 76 7.7 Remark on verification . 82 7.8 Source code improvements . 82 8 Conclusions and future work 86 8.1 Verification techniques and tools . 86 8.2 Verification of the communication channel . 87 8.3 Practicability and usefulness of tool-based approach . 88 8.3.1 VeriFast experience . 88 8.3.2 VeriFast effort . 88 8.3.3 VeriFast capabilities . 89 8.3.4 Formal verification experience . 90 8.3.5 Verification approach . 90 8.4 Threats to validity . 90 8.5 Future work . 91 A Appendix: Channel verification 96 A.1 Communication Channel (Ia) . 96 A.2 Communication Channel - client ready (Ib) . 99 A.3 Client - version 1 (II) . 103 A.4 Client - version 2 (IIIa) . 107 A.5 Client - version 3 (IIIb) . 113 A.6 Modifications to the VeriFast libraries . 123 B Appendix: Spec# - multithread example 125 5 1 Introduction A phenomenon in software engineering is that programs get bigger and more complex every year. In the last couple of years the emergence of concurrent programming received more attention. Programming those complex systems with concurrency is difficult: threading and synchronization can lead to a range of.