Publications (18)2.12 Total impact

Chapter: Dynamic Package Interfaces
[Show abstract] [Hide abstract]
ABSTRACT: A hallmark of objectoriented programming is the ability to perform computation through a set of interacting objects. A common manifestation of this style is the notion of a package, which groups a set of commonly used classes together. A challenge in using a package is to ensure that a client follows the implicit protocol of the package when calling its methods. Violations of the protocol can cause a runtime error or latent invariant violations. These protocols can extend across different, potentially unboundedly many, objects, and are specified informally in the documentation. As a result, ensuring that a client does not violate the protocol is hard. We introduce dynamic package interfaces (DPI), a formalism to explicitly capture the protocol of a package. The DPI of a package is a finite set of rules that together specify how any set of interacting objects of the package can evolve through method calls and under what conditions an error can happen. We have developed a dynamic tool that automatically computes an approximation of the DPI of a package, given a set of abstraction predicates. A key property of DPI is that the unbounded number of configurations of objects of a package are summarized finitely in an abstract domain. This uses the observation that many packages behave monotonically: the semantics of a method call over a configuration does not essentially change if more objects are added to the configuration. We have exploited monotonicity and have devised heuristics to obtain succinct yet general DPIs. We have used our tool to compute DPIs for several commonly used Java packages with complex protocols, such as JDBC, HashSet, and ArrayList  [Show abstract] [Hide abstract]
ABSTRACT: A hallmark of objectoriented programming is the ability to perform computation through a set of interacting objects. A common manifestation of this style of programming is the notion of package, which groups a set of commonly used classes together. A challenge in using a package, however, is to ensure that a client follows the implicit protocol of the package when calling its methods. Violations of the protocol can cause a runtime error or latent invariant violations. With protocols often extending across different, potentially unboundedly many, objects, and their documentations specified informally, protocol violation errors are common. We introduce dynamic package interfaces (DPI), a novel formalism to explicitly capture the protocol of a package. The DPI of a package is a finite set of rules that together specify how any set of interacting objects of the package can evolve through method calls and under what conditions an error can happen. We have developed a dynamic tool that computes an approximation of the DPI of a package automatically, given a set of abstraction predicates. A key property of DPI is that the unbounded number of configurations of objects of a package are summarized finitely in an abstract domain. This follows from the observation that many packages behave monotonically: the semantics of a method call over a configuration does not essentially change if more objects are added to the configuration. We have exploited this property and have devised heuristics to obtain succinct yet general DPIs. We have used our tool to compute DPIs for several commonly used Java packages with complex protocols, such as JDBC, HashSet, and ArrayList.  [Show abstract] [Hide abstract]
ABSTRACT: Programmers using software components have to follow protocols that specify when it is legal to call particular methods with particular arguments. For example, one cannot use an iterator over a set once the set has been changed directly or through another iterator. We formalize the notion of dynamic package interfaces (DPI), which generalize statemachine interfaces for single objects, and give an algorithm to statically compute a sound abstraction of a DPI. States of a DPI represent (unbounded) sets of heap configurations and edges represent the effects of method calls on the heap. We introduce a novel heap abstract domain based on depthbounded systems to deal with potentially unboundedly many objects and the references among them. We have implemented our algorithm and show that it is effective in computing representations of common patterns of package usage, such as relationships between viewer and label, container and iterator, and JDBC statements and cursors. 
Conference Paper: Automating Separation Logic Using SMT
[Show abstract] [Hide abstract]
ABSTRACT: Separation logic (SL) has gained widespread popularity because of its ability to succinctly express complex invariants of a program's heap configurations. Several specialized provers have been developed for decidable SL fragments. However, these provers cannot be easily extended or combined with solvers for other theories that are important in program verification, e.g., linear arithmetic. In this paper, we present a reduction of decidable SL fragments to a decidable firstorder theory that fits well into the satisfiability modulo theories (SMT) framework. We show how to use this reduction to automate satisfiability, entailment, frame inference, and abduction problems for separation logic using SMT solvers. Our approach provides a simple method of integrating separation logic into existing verification tools that provide SMT backends, and an elegant way of combining SL fragments with other decidable firstorder theories. We implemented this approach in a verification tool and applied it to heapmanipulating programs whose verification involves reasoning in theory combinations. 
Conference Paper: Structural Counter Abstraction
[Show abstract] [Hide abstract]
ABSTRACT: DepthBounded Systems form an expressive class of wellstructured transition systems. They can model a wide range of concurrent infinitestate systems including those with dynamic thread creation, dynamically changing communication topology, and complex shared heap structures. We present the first method to automatically prove fair termination of depthbounded systems. Our method uses a numerical abstraction of the system, which we obtain by systematically augmenting an overapproximation of the system's reachable states with a finite set of counters. This numerical abstraction can be analyzed with existing termination provers. What makes our approach unique is the way in which it exploits the wellstructuredness of the analyzed system. We have implemented our work in a prototype tool and used it to automatically prove liveness properties of complex concurrent systems, including nonblocking algorithms such as Treiber's stack and several distributed processes. Many of these examples are beyond the scope of termination analyses that are based on traditional counter abstractions. 
Conference Paper: Ideal Abstractions for WellStructured Transition Systems
[Show abstract] [Hide abstract]
ABSTRACT: Many infinite state systems can be seen as wellstructured transition systems (WSTS), i.e., systems equipped with a wellquasiordering on states that is also a simulation relation. WSTS are an attractive target for formal analysis because there exist generic algorithms that decide interesting verification problems for this class. Among the most popular algorithms are accelerationbased forward analyses for computing the covering set. Termination of these algorithms can only be guaranteed for flattable WSTS. Yet, many WSTS of practical interest are not flattable and the question whether any given WSTS is flattable is itself undecidable. We therefore propose an analysis that computes the covering set and captures the essence of accelerationbased algorithms, but sacrifices precision for guaranteed termination. Our analysis is an abstract interpretation whose abstract domain builds on the ideal completion of the wellquasiordered state space, and a widening operator that mimics acceleration and controls the loss of precision of the analysis. We present instances of our framework for various classes of WSTS. Our experience with a prototype implementation indicates that, despite the inherent precision loss, our analysis often computes the precise covering set of the analyzed system.  [Show abstract] [Hide abstract]
ABSTRACT: We study evolutionary game theory in a setting where individuals learn from each other. We extend the traditional approach by assuming that a population contains individuals with different learning abilities. In particular, we explore the situation where individuals have different search spaces, when attempting to learn the strategies of others. The search space of an individual specifies the set of strategies learnable by that individual. The search space is genetically given and does not change under social evolutionary dynamics. We introduce a general framework and study a specific example in the context of direct reciprocity. For this example, we obtain the counter intuitive result that cooperation can only evolve for intermediate benefittocost ratios, while small and large benefittocost ratios favor defection. Our paper is a step toward making a connection between computational learning theory and evolutionary game dynamics. 
Conference Paper: Scheduling large jobs by abstraction refinement
[Show abstract] [Hide abstract]
ABSTRACT: The static scheduling problem often arises as a fundamental problem in realtime systems and grid computing. We consider the problem of statically scheduling a large job expressed as a task graph on a large number of computing nodes, such as a data center. This paper solves the largescale static scheduling problem using abstraction refinement, a technique commonly used in formal verification to efficiently solve computationally hard problems. A scheduler based on abstraction refinement first attempts to solve the scheduling problem with abstract representations of the job and the computing resources. As abstract representations are generally small, the scheduling can be done reasonably fast. If the obtained schedule does not meet specified quality conditions (like data center utilization or schedule makespan) then the scheduler refines the job and data center abstractions and, again solves the scheduling problem. We develop different schedulers based on abstraction refinement. We implemented these schedulers and used them to schedule task graphs from various computing domains on simulated data centers with realistic topologies. We compared the speed of scheduling and the quality of the produced schedules with our abstraction refinement schedulers against a baseline scheduler that does not use any abstraction. We conclude that abstraction refinement techniques give a significant speedup compared to traditional static scheduling heuristics, at a reasonable cost in the quality of the produced schedules. We further used our static schedulers in an actual system that we deployed on Amazon EC2 and compared it against the Hadoop dynamic scheduler for large MapReduce jobs. Our experiments indicate that there is great potential for static scheduling techniques.  [Show abstract] [Hide abstract]
ABSTRACT: Concurrent data structures with finegrained synchronization are notoriously difficult to implement correctly. The difficulty of reasoning about these implementations does not stem from the number of variables or the program size, but rather from the large number of possible interleavings. These implementations are therefore prime candidates for model checking. We introduce an algorithm for verifying linearizability of singlylinked heapbased concurrent data structures. We consider a model consisting of an unbounded heap where each vertex stores an element from an unbounded data domain, with a restricted set of operations for testing and updating pointers and data elements. Our main result is that linearizability is decidable for programs that invoke a fixed number of methods, possibly in parallel. This decidable fragment covers many of the common implementation techniques — finegrained locking, lazy synchronization, and lockfree synchronization. We also show how the technique can be used to verify optimistic implementations with the help of programmer annotations. We developed a verification tool CoLT and evaluated it on a representative sample of Java implementations of the concurrent set data structure. The tool verified linearizability of a number of implementations, found a known error in a lockfree implementation and proved that the corrected version is linearizable. 
Conference Paper: FlexPRICE: Flexible Provisioning of Resources in a Cloud Environment
[Show abstract] [Hide abstract]
ABSTRACT: Cloud computing aims to give users virtually unlimited payperuse computing resources without the burden of managing the underlying infrastructure. We claim that, in order to realize the full potential of cloud computing, the user must be presented with a pricing model that offers flexibility at the requirements level, such as a choice between different degrees of execution speed and the cloud provider must be presented with a programming model that offers flexibility at the execution level, such as a choice between different scheduling policies. In such a flexible framework, with each job, the user purchases a virtual computer with the desired speed and cost characteristics, and the cloud provider can optimize the utilization of resources across a stream of jobs from different users. We designed a flexible framework to test our hypothesis, which is called FlexPRICE (Flexible Provisioning of Resources in a Cloud Environment) and works as follows. A user presents a job to the cloud. The cloud finds different schedules to execute the job and presents a set of quotes to the user in terms of price and duration for the execution. The user then chooses a particular quote and the cloud is obliged to execute the job according to the chosen quote. FlexPRICE thus hides the complexity of the actual scheduling decisions from the user, but still provides enough flexibility to meet the users actual demands. We implemented FlexPRICE in a simulator called PRICES that allows us to experiment with our framework. We observe that FlexPRICE provides a wide range of execution optionsfrom fast and expensive to slow and cheap for the whole spectrum of dataintensive and computationintensive jobs. We also observe that the set of quotes computed by FlexPRICE do not vary as the number of simultaneous jobs increases. 
Conference Paper: Forward Analysis of DepthBounded Processes
[Show abstract] [Hide abstract]
ABSTRACT: Depthbounded processes form the most expressive known fragment of the πcalculus for which interesting verification problems are s till decidable. In this paper we develop an adequate domain of limits for the wellstructured transition systems that are induced by depthbounded processes. An immediate consequence of our result is that there exists a forward algorithm that decides the covering problem for this class. Unlike backward algorithms, the forward al gorithm terminates even if the depth of the process is not known a priori. More importantly, our result suggests a whole spectrum of forward algorithms that en able the effective verification of a large class of mobile sys tems. 
Conference Paper: Shape Refinement through Explicit Heap Analysis
[Show abstract] [Hide abstract]
ABSTRACT: Shape analysis is a promising technique to prove program properties about recursive data structures. The challenge is to automatically determine the datastructure type, and to supply the shape analysis with the necessary information about the data structure. We present a stepwise approach to the selection of instrumentation predicates for a TVLAbased shape analysis, which takes us a step closer towards the fully automatic verification of data structures. The approach uses two techniques to guide the refinement of shape abstractions: (1) during program exploration, an explicit heap analysis collects sample instances of the heap structures, which are used to identify the data structures that are manipulated by the program; and (2) during abstraction refinement along an infeasible error path, we consider different possible heap abstractions and choose the coarsest one that eliminates the infeasible path. We have implemented this combined approach for automatic shape refinement as an extension of the software model checker BLAST. Example programs from a datastructure library that manipulate doublylinked lists and trees were successfully verified by our tool. 
Conference Paper: A Marketplace for Cloud Resources
[Show abstract] [Hide abstract]
ABSTRACT: Cloud computing is an emerging paradigm aimed to offer users payperuse computing resources, while leaving the burden of managing the computing infrastructure to the cloud provider. We present a new programming and pricing model that gives the cloud user the flexibility of trading execution speed and price on a perjob basis. We discuss the scheduling and resource management challenges for the cloud provider that arise in the implementation of this model. We argue that techniques from realtime and embedded software can be useful in this context. 
Conference Paper: Model Checking of Linearizability of Concurrent List Implementations.

Conference Paper: Shape Refinement through Explicit Heap Analysis
[Show abstract] [Hide abstract]
ABSTRACT: Shape analysis is a promising technique to prove program properties about recursive data structures. The challenge is to automatically determine the datastructure type, and to supply the shape analysis with the necessary information about the data structure. We present a stepwise approach to the selection of instrumentation predicates for a TVLAbased shape analysis, which takes us a step closer towards the fully automatic verification of data structures. The approach uses two techniques to guide the refinement of shape abstractions: (1) during program exploration, an explicit heap analysis collects sample instances of the heap structures, which are used to identify the data structures that are manipulated by the program; and (2) during abstraction refinement along an infeasible error path, we consider different possible heap abstractions and choose the coarsest one that eliminates the infeasible path. We have implemented this combined approach for automatic shape refinement as an extension of the software model checker BLAST. Example programs from a datastructure library that manipulate doublylinked lists and trees were successfully verified by our tool.  [Show abstract] [Hide abstract]
ABSTRACT: We explore the border between decidability and undecidability of verification problems related to message passing systems that admit unbounded creation of threads and name mobility. Inspired by use cases in reallife programs we introduce the notion of depthbounded message passing systems. A configuration of a message passing system can be represented as a graph. In a depthbounded system the length of the longest acyclic path in each reachable configuration is bounded by a constant. While the general reachability problem for depthbounded systems is undecidable, we prove that control reachability is decidable. In our decidability proof we show that depthbounded systems are wellstructured transition systems to which a forward algorithm for the covering problem can be applied. 
Conference Paper: CSIsat: Interpolation for LA+EUF
[Show abstract] [Hide abstract]
ABSTRACT: We present CSIsat, an interpolating decision procedure for the quantifierfree theory of rational linear arithmetic and equality with uninterpreted function symbols. Our implementation combines the efficiency of linear programming for solving the arithmetic part with the efficiency of a SAT solver to reason about the boolean structure. We evaluate the efficiency of our tool on benchmarks from software verification. Binaries and the source code of CSIsat are publicly available as free software.  [Show abstract] [Hide abstract]
ABSTRACT: DepthBounded Systems form an expressive class of wellstructured graph transformation systems. In this paper, we present the first method of automatically proving fair termination of such systems. Our method takes an input system and symbolically computes a generalized KarpMiller tree that represents an overapproximation of the covering set of the system. From this tree, we construct a numerical abstraction that can be analyzed with existing termination provers. Our approach is a more precise alternative to traditional counter abstractions, enabling us to prove termination of complex concurrent systems. We have implemented our work in a prototype tool and applied it to prove liveness properties of various concurrent systems, including nonblocking algorithms such as Treiber's stack and several distributed processes. Many examples are beyond the scope of termination techniques based on traditional counter abstractions.
Publication Stats
153  Citations  
2.12  Total Impact Points  
Top Journals
Institutions

20102013

IST Austria
Klosterneuberg, Lower Austria, Austria
