Erlang Programming Erlang Training and Consulting Ltd for ...
Development of Formally Verified Erlang Programs a case study
-
Upload
pamela-campbell -
Category
Documents
-
view
30 -
download
6
description
Transcript of Development of Formally Verified Erlang Programs a case study
Development of Formally Verified Erlang Programs
a case study
Thomas ArtsClara Benac Earle
Computer Science LabStockholm, Sweden
Research question
how can we identify the hard-to-find errors in the code?
can formal methods help infinding errors not uncovered by testing?
AXD 301 Architecture
CP CP CP CP CP CP
Switch Core
DP
DP
DP
DP
DP
DP
DP
AXD 301 Call setup
AXD 301 Architecture
CP CP CP CP CP CP
Switch Core
DP
DP
DP
DP
DP
DP
DP
CP
OM
CP
OM
CP
OMCC CC CC CC
CPCCOM
AXD 301 fault tolerance
AXD 301 fault tolerance
CP
CC
CP CP CP CP
CC
CP
Switch Core
DP
DP
DP
DP
DP
DP
DP
CP
OM
CP
OM
CP
OM
CPCCOM
CP
OM
CP
CC
CP
CC
node
OM
nodeapp
appapp
app
Billing application
Take over
CP
CC
node
OM
node
Billing application
app
appapp
app
Take overtake
over
CP
OM
node
app
CP
CC
node
OM
node
Billing application
app
app
app
Take over
Application lock
During take over the respective application should not be used.
distributed resource locker with shared and exclusive locks
CLIENTS RESOURCES
A
C
BLOCKER
CLIENT 1
CLIENT 2
CLIENT 3
ok
{request,[A],shared}
ok
{request,[A],exclusiv
e}
ok
{release}
done
{release}
done
{request,[A,B],shared} C1
C1
C2
C3
C3
example
-module(client).
start_link(Locker) -> {ok,spawn_link(loop,[Locker])}.
loop(Locker) -> gen_server:call(Locker,request), critical(), gen_server:call(Locker,release), loop(Locker).
examplestart_link() -> gen_server:start_link(locker,[],[]).
init([]) -> {ok,[]}.
handle_call(request,Client,Pending)-> case Pending of [] -> {reply, ok, [Client]}; _ -> {noreply, Pending ++ [Client]} end;
handle_call(release, Client, [_|Pending]) -> case Pending of [] -> {reply, done, []}; _ -> gen_server:reply(hd(Pending), ok), {reply, done, Pending} end.
Supervisor processes
standard supervision structure can be used to obtain initialization information for transition diagram
supervisor
supervisorlocker
gen_server
clientclient client clientclient
start supervision tree with 5 clients
supervisor:start(locker_sup,start,[5]).
Testing versus Verification
Thus, for one input, 100% coverage with verification
testing: many program runs on different inputverification: all runs on different input
verify:allruns(locker_sup,start,[8]).
Mutual exclusion(at most one client has access to resource)
-module(client).
start_link(Locker) -> {ok,spawn_link(loop,[Locker])}.
loop(Locker) -> gen_server:call(Locker,request), critical(), gen_server:call(Locker,release), loop(Locker).
io:format(“enter cs~n”),critical(),io:format(“exit cs~n”),
erlang:tracefor gen_server:call
testing
io client 2client 1
enter cs
exit csenter cs
enter cs
exit cs
enter cs
exit csexit cs
Verification:generate State Space
clients states transitions 2 14 18 3 53 75 4 230 344 5 1177 1805 6 7100 10980 8 398074 617216
Erlang -> transitionsstart verification with 2 clients
verify:allruns(locker_sup,start,[2])
ourToollocker.erl
client.erl
locker_sup.erl
client_sup.erl
ourTool
ourTool
ourTool
ourTool
EtoE rest tool
locker.erlclient.erl
init.erl
inst
antia
tion
Erlang -> transitionsstart verification with 2 clients
etomcrl:instantiator(locker_sup,start,[2])
locker.erlclient.erl
locker_sup.erl
client_sup.erl
locker.erlclient.erl
init.erl
inst
antia
tion tomcrl.erl
inst
antia
tion
EtoE rest tool rest toolrest toolrest toolrest toolEtoPmcrl
Erlang -> transitions
locker.erlclient.erl
locker_sup.erl
client_sup.erl
inst
antia
tion tomcrl.erl
inst
antia
tion
EtoE rest tool rest toolEtoPmcrl rest toolrest toolrest toolCWI toolinstantiator
locker.mCRL
toMCRL
start verification with 2 clients
etomcrl:instantiator(locker_sup,start,[2])
locker.erlclient.erl
init.erl
Erlang -> transitions
locker.erlclient.erl
locker_sup.erl
client_sup.erl
inst
antia
tion tomcrl.erl
inst
antia
tion
EtoE rest tool rest toolEtoPmcrl CWI toolinstantiator
locker.mCRL
toMCRL
start verification with 2 clients
etomcrl:instantiator(locker_sup,start,[2])
locker.erlclient.erl
init.erl
Aldebaran
locker.aut
State Space analysissimulation with backtrack possibilities
find execution sequencedeadlock check states in the graph without out-arrow
property check such as mutual exclusion
State Space analysis
Between two handle_call(request,_,_) there should be ahandle_call(release,_,_).
[-*,“handle_call(request,_,_)”, (not “handle_call(release,_,_)”)*, “handle_call(request,_,_)” ]false
Properties are specified as regular expressions over Erlang function calls in combination with [] and <> operators.
After a gen_server:call(locker, request) there is always a gen_server:call(locker,release) possible.
[-*,“gen_server:call(locker, request)”] < -*,“gen_server:call(locker, request)”>true
Conclusions
• We developed software to verify properties of Erlang programs
• We verified a resource locker program featuring multiple resources with shared and exclusive access (upto 6 clients in many different configurations)
• State space upto a million states (several techniques to reduces state space if property is given)
• Working on addition of Erlang constructs to cover more of the language (fault tolerance handling, gen_fsm)