Chengcheng Xiang,Zhengwei Qi,Walter Binder

DOI: https://doi.org/10.1142/s0218194015400343

2015-01-01

Abstract:Runtime verification validates the correctness of a program’s execution trace. Much work has been done on improving the expressiveness and efficiency of runtime verification. However, current approaches require static deployment of the verification logic and are often restricted to a limited set of events that can be captured and analyzed, hindering the adoption of runtime verification in production systems. A popular system for runtime verification in Java, JavaMOP (Monitor-Oriented Programming in Java), suffers from the aforementioned limitations due to its dependence on AspectJ, which supports neither dynamic weaving nor an extensible join-point model. In this article, we extend the JavaMOP framework with a dynamic deployment API and a new MOP specification translator, which targets the domain-specific aspect language DiSL instead of AspectJ; DiSL offers an open join-point model that allows for extensions. A case study on lambda expressions in Java8 demonstrates the extensibility of our approach. Moreover, in comparison with JavaMOP using load-time weaving, our implementation reduces runtime overhead by 32%, and heap memory usage by 13%, on average.

Patrick Metzler,Habib Saissi,Péter Bokor,Neeraj Suri

DOI: https://doi.org/10.48550/arXiv.1809.01955

2020-04-14

Abstract:Automated software verification of concurrent programs is challenging because of exponentially large state spaces with respect to the number of threads and number of events per thread. Verification techniques such as model checking need to explore a large number of possible executions that are possible under a non-deterministic scheduler. State space reduction techniques such as partial order reduction simplify the verification problem, however, the reduced state space may still be exponentially large and intractable. This paper discusses \emph{Iteratively Relaxed Scheduling}, a framework that uses scheduling constraints in order to simplify the verification problem and enable automated verification of programs which could not be handled with fully non-deterministic scheduling. Program executions are safe as long as the same scheduling constraints are enforced under which the program has been verified, e.g., by instrumenting a program with additional synchronization. As strict enforcement of scheduling constraints may induce a high execution time overhead, we present optimizations over a naive solution that reduce this overhead. Our evaluation of a prototype implementation on well-known benchmark programs shows the effect of scheduling constraints on the execution time overhead and how this overhead can be reduced by relaxing and choosing constraints.

Programming Languages

Yuhong Zhao,Franz Rammig

DOI: https://doi.org/10.1016/j.entcs.2009.09.035

2009-01-01

Electronic Notes in Theoretical Computer Science

Abstract:Model-based runtime verification is an extension to the state-of-the-art runtime verification, aimed at checking at runtime the system implementation against the system model (consistency checking) and the system model against the system specification (safety checking). Notice that our runtime verification works at the model level, thus, we do not need to strictly synchronize this runtime verification with the system execution. In fact, we mainly use the runtime information (current states) obtained from the system execution to reduce the state space (of the system model) to be explored. It means that this model-based runtime verification might run before or after the system execution, i.e., switch alternately between a preventive pre-checking mode and a maintaining post-checking mode. In order to make it run ahead of the system execution for as long time as possible, we present two possible strategies so that this runtime verification can selectively reduce the state space (of the system model) to be explored by making the system model enriched with probabilities and additional information derived and learned at the system testing phase.

Ramy Medhat,Yogi Joshi,Borzoo Bonakdarpour,Sebastian Fischmeister

DOI: https://doi.org/10.48550/arXiv.1411.2239

2014-11-09

Abstract:Runtime verification is an effective automated method for specification-based offline testing and analysis as well as online monitoring of complex systems. The specification language is often a variant of regular expressions or a popular temporal logic, such as LTL. This paper presents a novel and efficient parallel algorithm for verifying a more expressive version of LTL specifications that incorporates counting semantics, where nested quantifiers can be subject to numerical constraints. Such constraints are useful in evaluating thresholds (e.g., expected uptime of a web server). The significance of this extension is that it enables us to reason about the correctness of a large class of systems, such as web servers, OS kernels, and network behavior, where properties are required to be instantiated for parameterized requests, kernel objects, network nodes, etc. Our algorithm uses the popular {\em MapReduce} architecture to split a program trace into variable-based clusters at run time. Each cluster is then mapped to its respective monitor instances, verified, and reduced collectively on a multi-core CPU or the GPU. Our algorithm is fully implemented and we report very encouraging experimental results, where the monitoring overhead is negligible on real-world data sets.

Logic in Computer Science

KP Jevitha,Bharat Jayaraman,M Sethumadhavan

2024-06-18

Abstract:Finite-state models are ubiquitous in the study of concurrent systems, especially controllers and servers that operate in a repetitive cycle. In this paper, we show how to extract finite state models from a run of a multi-threaded Java program and carry out runtime verification of correctness properties. These properties include data-oriented and control-oriented properties; the former express correctness conditions over the data fields of objects, while the latter are concerned with the correct flow of control among the modules of larger software. As the extracted models can become very large for long runs, the focus of this paper is on constructing reduced models with user-defined abstraction functions that map a larger domain space to a smaller one. The abstraction functions should be chosen so that the resulting model is property preserving, i.e., proving a property on the abstract model carries over to the concrete model. The main contribution of this paper is in showing how runtime verification can be made efficient through online property checking on property-preserving abstract models. The property specification language resembles a propositional linear temporal logic augmented with simple datatypes and operators. Classic concurrency examples and larger case studies (Multi-rotor Drone Controller, OAuth Protocol) are presented in order to demonstrate the usefulness of our proposed techniques, which are incorporated in an Eclipse plug-in for runtime visualization and verification of Java programs.

Software Engineering

Chenxia Luo,Rui Wang,Yu Jiang,Kang Yang,Yong Guan,Xiaojuan Li,Zhiping Shi

DOI: https://doi.org/10.1109/compsac.2018.00033

2018-01-01

Abstract:The robot has attracted much attention to anticipate improved quality of human life. Real-time obstacle avoidance is one of hot spots of the research. Runtime verification is a real-time and lightweight verification technology to verify the properties in many fields. In this case study, we use the JavaMOP, a runtime verification tool to verify the implementations' correctness of the safety strategies for avoiding collision as a complement to the design. The design of the safety strategies can be classified as the pre-contact safety strategy and the post-contact safety strategy. The former can avoid obstacles and the latter can reduce the physical damage after a collision. Additionally, this case study also proposes a new method of dynamic parameter selection. It can automatically update the parameters during the operation of the robot without having to get familiar with and to modify robot programs. Because some special parameters may change as mutative factors or be updated by engineers' experience in the uncertain environment, they cannot be fixed. We follow the JavaMOP specification to describe informal requirements using the FSM and ptLTL languages. Finally, the experimental results verify the correctness of the safety strategies and the effectiveness of dynamic parameter selection.

Xiaoxue Ren,Xinyuan Ye,Zhenchang Xing,Xin Xia,Xiwei Xu,Liming Zhu,Jianling Sun

DOI: https://doi.org/10.1145/3468264.3473112

2021-01-01

Abstract:Application Programming Interfaces (APIs) typically come with usage constraints. The violations of these constraints (i.e. API misuses) can cause significant problems in software development. Existing methods mine frequent API usage patterns from codebase to detect API misuses. They make a naive assumption that API usage that deviates from the most-frequent API usage is a misuse. However, there is a big knowledge gap between API usage patterns and API usage constraints in terms of comprehensiveness, explainability and best practices. Inspired by this, we propose a novel approach named KGAMD (API-Misuse Detector Driven by Fine-Grained API-Constraint Knowledge Graph) that detects API misuses directly against the API constraint knowledge, rather than API usage patterns. We first construct a novel API-constraint knowledge graph from API reference documentation with open information extraction methods. This knowledge graph explicitly models two types of API-constraint relations (call-order and condition-checking) and enriches return and throw relations with return conditions and exception triggers. Then, we develop the KGAMD tool that utilizes the knowledge graph to detect API misuses. There are three types of frequent API misuses we can detect - missing calls, missing condition checking and missing exception handling, while existing detectors mostly focus on only missing calls. Our quantitative evaluation and user study demonstrate that our KGAMD is promising in helping developers avoid and debug API misuses.

Armando Castañeda,Gilde Valeria Rodríguez

DOI: https://doi.org/10.48550/arXiv.2301.02638

2023-05-02

Abstract:This paper studies the problem of verifying linearizability at runtime, where one seeks for a concurrent algorithm for verifying that the current execution of a given concurrent shared object implementation is linearizable. It shows that it is impossible to runtime verify linearizability for some common sequential objects, regardless of the consensus power of base objects. Then, it argues that actually a stronger version of the problem can be solved, if linearizability is verified indirectly. Namely, it shows that (1) linearizability of a class of concurrent implementations can be strongly verified using only read/write base objects (i.e. without the need of consensus), and (2) any implementation can be transformed to its counterpart in the class (which implements the same object) using only read/write objects too. As far as we know, this is the first runtime verification algorithm for any correctness condition that is fully asynchronous and fault-tolerant. As a by-product, a simple and generic methodology for deriving self-enforced linearizable implementations is obtained. This type implementations produce outputs that are guaranteed linearizable, and are able to produce a certificate of it, which allows the design of concurrent systems in a modular manner with accountable and forensic guarantees. These results hold not only for linearizability but for a correctness condition that includes generalizations of it such as set-linearizability and interval-linearizability.

Distributed, Parallel, and Cluster Computing

Lars-Åke Fredlund,Julio Mariño,Sergio Pérez,Salvador Tamarit

DOI: https://doi.org/10.48550/arXiv.1808.07937

2019-02-06

Abstract:During its lifetime, a program suffers several changes that seek to improve or to augment some parts of its functionality. However, these modifications usually also introduce errors that affect the already-working code. There are several approaches and tools that help to spot and find the source of these errors. However, most of these errors could be avoided beforehand by using some of the knowledge that the programmers had when they were writing the code. This is the idea behind the design-by-contract approach, where users can define contracts that can be checked during runtime. In this paper, we apply the principles of this approach to Erlang, enabling, in this way, a runtime verification system in this language. We define two types of contracts. One of them can be used in any Erlang program, while the second type is intended to be used only in concurrent programs. We provide the details of the implementation of both types of contracts. Moreover, we provide an extensive explanation of each contract as well as examples of their usage. All the ideas presented in this paper have been implemented in a contract-based runtime verification system named EDBC. Its source code is available at GitHub as an open-source and free project.

Programming Languages

Hongjin Liang,Xinyu Feng

DOI: https://doi.org/10.1561/2500000041

2020-01-01

Abstract:Implementations of concurrent objects should guarantee linearizability and a progress property such as wait-freedom, lock-freedom, starvation-freedom, or deadlock-freedom. These progress properties describe conditions under which a method call is guaranteed to complete. However, they fail to describe how clients are affected, making it difficult to utilize them in layered and modular program verification. Also we lack verification techniques for starvation-free or deadlock-free objects. They are challenging to verify because the fairness assumption introduces complicated interdependencies among progress of threads. Even worse, none of the existing results applies to concurrent objects with partial methods, i.e., methods that are supposed not to return under certain circumstances. A typical example is the lock_acquire method, which must not return when the lock has already been acquired. In this tutorial we examine the progress properties of concurrent objects. We formulate each progress property (together with linearizability as a basic correctness requirement) in terms of contextual refinement. This essentially gives us progress-aware abstraction for concurrent objects. Thus, when verifying clients of the objects, we can soundly replace the concrete object implementations with their abstractions, achieving modular verification. For concurrent objects with partial methods, we formulate two new progress properties, partial starvation-freedom (PSF) and partial deadlock-freedom (PDF). We also design four patterns to write abstractions for PSF or PDF objects under strongly or weakly fair scheduling, so that these objects contextually refine their abstractions. Finally, we introduce a rely-guarantee style program logic LiLi for verifying linearizability and progress together for concurrent objects. It unifies thread-modular reasoning about all the six progress properties (wait-freedom, lock-freedom, starvation-freedom, deadlock-freedom, PSF and PDF) in one framework. We have successfully applied LiLi to verify starvation-freedom or deadlock-freedom of representative algorithms such as lock-coupling lists, optimistic lists and lazy lists, and PSF or PDF of lock algorithms.

Maximiliano Klemen,Nataliia Stulova,Pedro Lopez-Garcia,José F. Morales,Manuel V. Hermenegildo

DOI: https://doi.org/10.48550/arXiv.1804.02380

2018-04-06

Programming Languages

Abstract:Instrumenting programs for performing run-time checking of properties, such as regular shapes, is a common and useful technique that helps programmers detect incorrect program behaviors. This is specially true in dynamic languages such as Prolog. However, such run-time checks inevitably introduce run-time overhead (in execution time, memory, energy, etc.). Several approaches have been proposed for reducing such overhead, such as eliminating the checks that can statically be proved to always succeed, and/or optimizing the way in which the (remaining) checks are performed. However, there are cases in which it is not possible to remove all checks statically (e.g., open libraries which must check their interfaces, complex properties, unknown code, etc.) and in which, even after optimizations, these remaining checks still may introduce an unacceptable level of overhead. It is thus important for programmers to be able to determine the additional cost due to the run-time checks and compare it to some notion of admissible cost. The common practice used for estimating run-time checking overhead is profiling, which is not exhaustive by nature. Instead, we propose a method that uses static analysis to estimate such overhead, with the advantage that the estimations are functions parameterized by input data sizes. Unlike profiling, this approach can provide guarantees for all possible execution traces, and allows assessing how the overhead grows as the size of the input grows. Our method also extends an existing assertion verification framework to express "admissible" overheads, and statically and automatically checks whether the instrumented program conforms with such specifications. Finally, we present an experimental evaluation of our approach that suggests that our method is feasible and promising.

Niels Mommen,Bart Jacobs

2023-07-14

Abstract:We propose an approach for modular verification of programs written in an object-oriented language where, like in C++, the same virtual method call is bound to different methods at different points during the construction or destruction of an object. Our separation logic combines Parkinson and Bierman's abstract predicate families with essentially explicitly tracking each subobject's vtable pointer. Our logic supports polymorphic destruction. Virtual inheritance is not yet supported. We formalised our approach and implemented it in our VeriFast tool for semi-automated modular formal verification of C++ programs.

Programming Languages

Jianhua Zhao,Xuandong LI

DOI: https://doi.org/10.48550/arXiv.1311.7181

2013-11-28

Abstract:This paper presents a formal approach to specify and verify object-oriented programs written in the `programming to interfaces' paradigm. Besides the methods to be invoked by its clients, an interface also declares a set of abstract function/predicate symbols, together with a set of constraints on these symbols. For each method declared in this interface, a specification template is given using these abstract symbols. A class implementing this interface can give its own definitions to the abstract symbols, as long as all the constraints are satisfied. This class implements all the methods declared in the interface such that the method specification templates declared in the interface are satisfied w.r.t. the definitions of the abstract function symbols in this class. Based on the constraints on the abstract symbols, the client code using interfaces can be specified and verified precisely without knowing what classes implement these interfaces. Given more information about the implementing classes, the specifications of the client code can be specialized into more precise ones without re-verifying the client code. Several commonly used interfaces and their implementations (including Iterator, Observer, Comparable, and Comparator) are used to demonstrate that the approach in this paper is both precise and flexible.

Logic in Computer Science

Li Xuandong,Wang Linzhang,Qiu Xiaokang,Lei Bin,Yuan Jiesong,Zhao Jianhua,Zheng Guoliang

DOI: https://doi.org/10.1007/11767077_8

2006-01-01

Abstract:In this paper, we use UML sequence diagrams as scenario-based specifications, and give the solution to runtime verification of Java programs for the safety consistency and the mandatory consistency. The safety consistency requires that any forbidden scenario described by a given sequence diagram never happens during the execution of a program, and the mandatory consistency requires that if a reference scenario described by the given sequence diagrams occurs during the execution of a program, it must immediately adhere to a scenario described by the other given sequence diagram. In the solution, we first instrument the program under verification so as to gather the program execution traces related to a given scenario-based specification; then we drive the instrumented program by random test cases so as to generate the program execution traces; last we check if the collected program execution traces satisfy the given specification. Our work leads to a testing tool which may proceed in a fully automatic and push-button fashion.

Kuanjiu Zhou,Jiawei Yong,Xiaolong Wang,Longtao Ren,Gang Hou,Junwang Chang

DOI: https://doi.org/10.1007/978-3-642-45293-2_26

2013-01-01

Abstract:Model checking technique has been gradually applied to verify the reliability of software systems. However, as to software with large scale and complex structure, the verification procedure suffers from the state space explosion, thus leading to a low efficiency or resource exhaustion. In this paper, we propose a method of accelerating software model checking based on program backbone to verify the properties in ANSI-C source codes. We prune the program with respect to the assertion property, and compress the circular paths by maximal strongly connected components to extract the program backbone. Subsequently, the Hoare theory is used to generate an invariant from the compressed circular nodes, which reduces the length of path encoding. The assertion property is finally translated into a quantifier-free formula and checked for satisfiability by the SMT solver Z3. The experiments show that this method substantially improves the efficiency of program verification.

Mitesh Jain,Panagiotis Manolios

DOI: https://doi.org/10.48550/arXiv.1703.05317

2017-03-16

Abstract:We introduce a new methodology based on refinement for testing the functional correctness of hardware and low-level software. Our methodology overcomes several major drawbacks of the de facto testing methodologies used in industry: (1) it is difficult to determine completeness of the properties and tests under consideration (2) defining oracles for tests is expensive and error-prone (3) properties are defined in terms of low-level designs. Our approach compiles a formal refinement conjecture into a runtime check that is performed during simulation. We describe our methodology, discuss algorithmic issues, and provide experimental validation using a 5-stage RISCV pipelined microprocessor and hypervisor.

Logic in Computer Science,Software Engineering

Hongjin Liang,Xinyu Feng

DOI: https://doi.org/10.1145/2914770.2837635

2016-01-01

ACM SIGPLAN Notices

Abstract:Existing work on verifying concurrent objects is mostly concerned with safety only, e.g., partial correctness or linearizability. Although there has been recent work verifying lock-freedom of non-blocking objects, much less efforts are focused on deadlock-freedom and starvation-freedom, progress properties of blocking objects. These properties are more challenging to verify than lock-freedom because they allow the progress of one thread to depend on the progress of another, assuming fair scheduling. We propose LiLi, a new rely-guarantee style program logic for verifying linearizability and progress together for concurrent objects under fair scheduling. The rely-guarantee style logic unifies thread-modular reasoning about both starvation-freedom and deadlock-freedom in one framework. It also establishes progress-aware abstraction for concurrent objects, which can be applied when verifying safety and liveness of client code. We have successfully applied the logic to verify starvation-freedom or deadlock-freedom of representative algorithms such as ticket locks, queue locks, lock-coupling lists, optimistic lists and lazy lists.

Zejun Zhang,Shaobo Wu,Renhe Jiang,Minxue Pan,Tian Zhang

DOI: https://doi.org/10.1145/3275219.3275229

2018-01-01

Abstract:As the efficiency of constraint solvers increases, constraint solving has been widely used in many applications of software engineering, such as test case generation, program synthesis and code search. However, encoding source code into constraints is not an easy task. Particularly, when it comes to complex data structures of library functions, existing work cannot generate effective constraints. In this paper, we propose a documentation-based method to generate constraint for Java APIs. It mainly uses Natural Language Processing (NLP) techniques to construct syntactic trees by extracting the specifications of methods. Then it uses predefined constraint templates to generate constraint models by traversing the syntactic trees. Our approach successfully models 228 methods for 11 Java container classes and string-related classes. We summarize 12 functional behavior and formulate 21 constraint templates for these classes. Compared with other tools, our approach models most of methods about string-related classes, and more importantly, generates constraint models for Java container classes that other tools cannot. In order to evaluate the effectiveness of our constraint models, we apply them into test case generation. The experimental result shows that constraint models we generate have practical use.

David J. Murray,Dale E. Parson

DOI: https://doi.org/10.48550/arXiv.cs/0101002

2001-01-03

Software Engineering

Abstract:Correctness constraints provide a foundation for automated debugging within object-oriented systems. This paper discusses a new approach to incorporating correctness constraints into Java development environments. Our approach uses the Object Constraint Language ("OCL") as a specification language and the Java Debug Interface ("JDI") as a verification API. OCL provides a standard language for expressing object-oriented constraints that can integrate with Unified Modeling Language ("UML") software models. JDI provides a standard Java API capable of supporting type-safe and side effect free runtime constraint evaluation. The resulting correctness constraint mechanism: (1) entails no programming language modifications; (2) requires neither access nor changes to existing source code; and (3) works with standard off-the-shelf Java virtual machines ("VMs"). A prototype correctness constraint auditor is presented to demonstrate the utility of this mechanism for purposes of automated debugging.

Hushuang Zcng,Jingxin Chen,Bcijun Shen,Hao Zhong

DOI: https://doi.org/10.1109/apsec53868.2021.00024

2021-01-01

Abstract:Calling Application Programming Interfaces (APIs) shall follow various constraints (e.g., call orders). If these con-straints are violated, API misuses are introduced to code, and such misuses can cause severe bugs. To effectively detect API misuses, most prior approaches mine constraints from client code, and assume that the violations of constraints are potential misuses. However, as client code only illustrates a small portion of API usages, constraints mined from client code are typically incomplete. As a result, when mined constraints are used to detect bugs, many violations of constraints turn out to be false positives. In this paper, our research purpose is to find more misuses and to reduce false positives. As library code contains many details on APIs, we propose an approach that mines API constraints from both client and library code. From client code, our approach builds API usage graphs and uses a frequent subgraph mining algorithm to mine frequent usage patterns as API constraints. From library code, our approach derives various types of constraints with our predefined strategies. With constraints from both sources, our graph matching algorithm can detect API misuses. As a result, our approach takes advantage from both the comprehensiveness and informativeness of library-based constraints and the accuracy of client-based patterns. We compared our approach with MuDetect on the MuBench dataset. Our results show that it significantly improves the detection effectiveness of MuBench from 39.5% to 50.2% of the recall, and from 30.6% to 41.7% of the precision.