National Aeronautics and Space Administration Intelligent Systems Division NASA Ames Research Center Program Model Checking A Practitioner’s Guide Masoud Mansouri-Samani, Perot Systems Government Services Peter C. Mehlitz, Perot Systems Government Services Corina S. Pasareanu, Perot Systems Government Services John J. Penix, Google, Inc. Guillaume P. Brat, USRA/RIACS Lawrence Z. Markosian, Perot Systems Government Services Owen O’Malley, Yahoo, Inc. Thomas T. Pressburger, NASA Ames Research Center Willem C. Visser, Seven Networks, Inc. January 15, 2008 Version 1.1 Contents CONTENTS ..................................................................................................................... III FIGURES .........................................................................................................................IX PREFACE........................................................................................................................XI 1 INTRODUCTION......................................................................................................... 1 1.1 What is Model Checking?........................................................................................1 1.2 Hardware vs. Software Model Checking.................................................................1 1.3 What is Program Model Checking?.........................................................................2 1.4 Advantages of Model Checking...............................................................................3 1.5 Model-Checking Challenges....................................................................................4 1.6 Objectives of this Guidebook...................................................................................5 2 PROGRAMS, PROPERTIES, AND MODELS............................................................ 7 2.1 Models......................................................................................................................7 2.1.1 Model Construction ...............................................................................................7 2.1.2 Model Extraction ....................................................................................................7 2.1.3 Programs as Models...............................................................................................8 2.2 Model Checking a Program .....................................................................................8 2.3 Properties .................................................................................................................9 2.3.1 Types of Properties...............................................................................................10 2.3.1.1 Generic vs. Application-Specific Properties ....................................... 10 2.3.1.2 Safety Properties ..................................................................................... 10 2.3.1.3 Liveness Properties................................................................................. 11 2.3.1.4 Fairness Properties ................................................................................. 11 2.3.1.5 Temporal Properties............................................................................... 11 2.3.2 Identifying and Eliciting Critical Properties.....................................................11 2.3.3 Specifying Properties ...........................................................................................12 iii Program Model Checking: A Practitioner’s Guide 2.3.3.1 Property Specification in Java PathFinder .......................................... 12 2.3.3.2 Property Specification in SPIN ............................................................. 13 2.3.3.3 Property Patterns.................................................................................... 13 2.3.4 Inserting Property Oracles ..................................................................................14 2.3.4.1 Programming by Contract..................................................................... 15 2.3.4.1.1 Support for Programming by Contract 16 2.3.4.1.2 Other Uses of Programming by Contract 22 2.3.4.2 Aspect-Oriented Programming ............................................................ 22 2.3.5 Understanding Property Violations...................................................................24 3 TEST DRIVERS AND ENVIRONMENT MODELS ................................................... 25 3.1 Analyzing Open Programs.....................................................................................25 3.2 Universal Environments.........................................................................................25 3.3 Filter-Based Methods.............................................................................................27 3.3.1 Discharging Assumptions...................................................................................28 3.4 Tool Support and Applications ..............................................................................29 4 PROGRAM ABSTRACTION .................................................................................... 31 4.1 Introduction............................................................................................................31 4.1.1 Property Preservation ..........................................................................................31 4.1.1.1 Weak Preservation.................................................................................. 31 4.1.1.2 Strong Preservation ................................................................................ 32 4.1.1.3 Error Preservation .................................................................................. 32 4.1.2 Behavior Approximation.....................................................................................32 4.1.2.1 Over-approximation............................................................................... 32 4.1.2.2 Under-approximation ............................................................................ 33 4.1.2.3 Exact Abstraction.................................................................................... 33 4.2 Data Abstraction ....................................................................................................33 4.2.1 Abstract Interpretation ........................................................................................34 4.2.2 Useful Abstractions ..............................................................................................36 4.2.3 Abstracting Non-base Types...............................................................................37 4.2.3.1 Abstractions for Data Structures .......................................................... 37 4.2.3.2 Data Independence................................................................................. 37 iv 4.2.3.3 Container Abstractions .......................................................................... 37 4.2.3.4 Heap Abstractions .................................................................................. 38 4.3 Predicate Abstraction.............................................................................................39 4.4 Model-Driven Verification ....................................................................................40 4.5 Tool Support and Applications ..............................................................................42 5 SEARCH AND PARTIAL COVERAGE .................................................................... 45 5.1 Selecting a Search Strategy....................................................................................46 5.1.1 Depth-First Search ................................................................................................46 5.1.2 Breadth-First Search .............................................................................................46 5.1.3 DFS and BFS Tradeoffs ........................................................................................46 5.1.4 Bounded Searches.................................................................................................47 5.1.5 Heuristic Search....................................................................................................47 5.1.5.1 Best-First Search...................................................................................... 48 5.1.5.1.1 Greedy Best-First Search 48 5.1.5.1.2 A* Search 48 5.1.5.1.3 Beam Search 49 5.1.5.2 Random Search ....................................................................................... 49 5.2 Model Checking vs. Testing ..................................................................................50 5.3 Coverage for Model Checking...............................................................................51 5.4 Directed Model Checking......................................................................................52 5.4.1 Property-Specific Heuristics................................................................................52 5.4.2 Structural Heuristics ............................................................................................53 5.4.2.1 Code Coverage Heuristics..................................................................... 53 5.4.2.2 Thread Interleaving Heuristics............................................................. 54 5.4.2.3 Thread Preference Heuristic ................................................................. 55 5.4.2.4 Choose-free Heuristic............................................................................