[show abstract][hide abstract] ABSTRACT: A hallmark of object-oriented programming is the ability to perform
computation through a set of interacting objects. A common manifestation of
this style of programming is the notion of package, which groups a set of
commonly used classes together. A challenge in using a package, however, is to
ensure that a client follows the implicit protocol of the package when calling
its methods. Violations of the protocol can cause a runtime error or latent
invariant violations. With protocols often extending across different,
potentially unboundedly many, objects, and their documentations specified
informally, protocol violation errors are common.
We introduce dynamic package interfaces (DPI), a novel formalism to
explicitly capture the protocol of a package. The DPI of a package is a finite
set of rules that together specify how any set of interacting objects of the
package can evolve through method calls and under what conditions an error can
happen. We have developed a dynamic tool that computes an approximation of the
DPI of a package automatically, given a set of abstraction predicates. A key
property of DPI is that the unbounded number of configurations of objects of a
package are summarized finitely in an abstract domain. This follows from the
observation that many packages behave monotonically: the semantics of a method
call over a configuration does not essentially change if more objects are added
to the configuration. We have exploited this property and have devised
heuristics to obtain succinct yet general DPIs. We have used our tool to
compute DPIs for several commonly used Java packages with complex protocols,
such as JDBC, HashSet, and ArrayList.
[show abstract][hide abstract] ABSTRACT: Programmers using software components have to follow protocols that specify
when it is legal to call particular methods with particular arguments. For
example, one cannot use an iterator over a set once the set has been changed
directly or through another iterator. We formalize the notion of dynamic
package interfaces (DPI), which generalize state-machine interfaces for single
objects, and give an algorithm to statically compute a sound abstraction of a
DPI. States of a DPI represent (unbounded) sets of heap configurations and
edges represent the effects of method calls on the heap. We introduce a novel
heap abstract domain based on depth-bounded systems to deal with potentially
unboundedly many objects and the references among them. We have implemented our
algorithm and show that it is effective in computing representations of common
patterns of package usage, such as relationships between viewer and label,
container and iterator, and JDBC statements and cursors.
[show abstract][hide abstract] ABSTRACT: The static scheduling problem often arises as a fundamental problem in real-time systems and grid computing. We consider the problem of statically scheduling a large job expressed as a task graph on a large number of computing nodes, such as a data center. This paper solves the large-scale static scheduling problem using abstraction refinement, a technique commonly used in formal verification to efficiently solve computationally hard problems. A scheduler based on abstraction refinement first attempts to solve the scheduling problem with abstract representations of the job and the computing resources. As abstract representations are generally small, the scheduling can be done reasonably fast. If the obtained schedule does not meet specified quality conditions (like data center utilization or schedule makespan) then the scheduler refines the job and data center abstractions and, again solves the scheduling problem. We develop different schedulers based on abstraction refinement. We implemented these schedulers and used them to schedule task graphs from various computing domains on simulated data centers with realistic topologies. We compared the speed of scheduling and the quality of the produced schedules with our abstraction refinement schedulers against a baseline scheduler that does not use any abstraction. We conclude that abstraction refinement techniques give a significant speed-up compared to traditional static scheduling heuristics, at a reasonable cost in the quality of the produced schedules. We further used our static schedulers in an actual system that we deployed on Amazon EC2 and compared it against the Hadoop dynamic scheduler for large MapReduce jobs. Our experiments indicate that there is great potential for static scheduling techniques.
European Conference on Computer Systems, Proceedings of the Sixth European conference on Computer systems, EuroSys 2011, alzburg, Austria - April 10-13, 2011; 01/2011
[show abstract][hide abstract] ABSTRACT: Shape analysis is a promising technique to prove program properties about recursive data structures. The challenge is to automatically determine the data-structure type, and to supply the shape analysis with the necessary information about the data structure. We present a stepwise approach to the selection of instrumentation predicates for a TVLA-based shape analysis, which takes us a step closer towards the fully automatic verification of data structures. The approach uses two techniques to guide the refinement of shape abstractions: (1) during program exploration, an explicit heap analysis collects sample instances of the heap structures, which are used to identify the data structures that are manipulated by the program; and (2) during abstraction refinement along an infeasible error path, we consider different possible heap abstractions and choose the coarsest one that eliminates the infeasible path. We have implemented this combined approach for automatic shape refinement as an extension of the software model checker BLAST. Example programs from a data-structure library that manipulate doubly-linked lists and trees were successfully verified by our tool.
[show abstract][hide abstract] ABSTRACT: Depth-bounded processes form the most expressive known fragment of the π-calculus for which interesting verification problems are s till decidable. In this paper we develop an adequate domain of limits for the well-structured transition systems that are induced by depth-bounded processes. An immediate consequence of our result is that there exists a forward algorithm that decides the covering problem for this class. Unlike backward algorithms, the forward al- gorithm terminates even if the depth of the process is not known a priori. More importantly, our result suggests a whole spectrum of forward algorithms that en- able the effective verification of a large class of mobile sys tems.
Foundations of Software Science and Computational Structures, 13th International Conference, FOSSACS 2010, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2010, Paphos, Cyprus, March 20-28, 2010. Proceedings; 01/2010
[show abstract][hide abstract] ABSTRACT: Cloud computing aims to give users virtually unlimited pay-per-use computing resources without the burden of managing the underlying infrastructure. We claim that, in order to realize the full potential of cloud computing, the user must be presented with a pricing model that offers flexibility at the requirements level, such as a choice between different degrees of execution speed and the cloud provider must be presented with a programming model that offers flexibility at the execution level, such as a choice between different scheduling policies. In such a flexible framework, with each job, the user purchases a virtual computer with the desired speed and cost characteristics, and the cloud provider can optimize the utilization of resources across a stream of jobs from different users. We designed a flexible framework to test our hypothesis, which is called FlexPRICE (Flexible Provisioning of Resources in a Cloud Environment) and works as follows. A user presents a job to the cloud. The cloud finds different schedules to execute the job and presents a set of quotes to the user in terms of price and duration for the execution. The user then chooses a particular quote and the cloud is obliged to execute the job according to the chosen quote. FlexPRICE thus hides the complexity of the actual scheduling decisions from the user, but still provides enough flexibility to meet the users actual demands. We implemented FlexPRICE in a simulator called PRICES that allows us to experiment with our framework. We observe that FlexPRICE provides a wide range of execution options-from fast and expensive to slow and cheap-- for the whole spectrum of data-intensive and computation-intensive jobs. We also observe that the set of quotes computed by FlexPRICE do not vary as the number of simultaneous jobs increases.
IEEE International Conference on Cloud Computing, CLOUD 2010, Miami, FL, USA, 5-10 July, 2010; 01/2010
Fundamental Approaches to Software Engineering, 13th International Conference, FASE 2010, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2010, Paphos, Cyprus, March 20-28, 2010. Proceedings; 01/2010
[show abstract][hide abstract] ABSTRACT: Cloud computing is an emerging paradigm aimed to offer users pay-per-use computing resources, while leaving the burden of managing the computing infrastructure to the cloud provider. We present a new programming and pricing model that gives the cloud user the flexibility of trading execution speed and price on a per-job basis. We discuss the scheduling and resource management challenges for the cloud provider that arise in the implementation of this model. We argue that techniques from real-time and embedded software can be useful in this context.
Proceedings of the 10th International conference on Embedded software, EMSOFT 2010, Scottsdale, Arizona, USA, October 24-29, 2010; 01/2010
[show abstract][hide abstract] ABSTRACT: We present CSIsat, an interpolating decision procedure
for the quantifier-free theory of rational linear arithmetic and
equality with uninterpreted function symbols. Our implementation
combines the efficiency of linear programming for solving the
arithmetic part with the efficiency of a SAT solver to reason about
the boolean structure. We evaluate the efficiency of our tool on
benchmarks from software verification. Binaries and the source code
of CSIsat are publicly available as free software.
Computer Aided Verification, 20th International Conference, CAV 2008, Princeton, NJ, USA, July 7-14, 2008, Proceedings; 01/2008
[show abstract][hide abstract] ABSTRACT: We explore the border between decidability and undecidability of verification problems related to message passing systems that admit unbounded creation of threads and name mobility. Inspired by use cases in real-life programs we introduce the notion of depth-bounded message passing systems. A configuration of a message passing system can be represented as a graph. In a depth-bounded system the length of the longest acyclic path in each reachable configuration is bounded by a constant. While the general reachability problem for depth-bounded systems is undecidable, we prove that control reachability is decidable. In our decidability proof we show that depth-bounded systems are well-structured transition systems to which a forward algorithm for the covering problem can be applied.