Model Checking C# Code: A Translation Approach

Contents

• Overview• Model Structure• Key Features

o Flow Controlo State Representationo Thread management

• What's Next

Overview

• C Source Code Model Checkers: BLAST, SLAM and CBMC etc o Translate to Boolean Program or CIL (C Intermediate

Language)o use Theorem Prover or SAT Solver to check predicateso Translate to Promela and use SPIN to check

•  Java and C# Model Checkerso Java PathFindero MoonWalkero act as a virtual machine to "run" the program

Objectives

• Going down to byte-code level might not be necessary• PAT is a general Model Checker with good performance and

extensibility• PAT can import C# library, the polymorphism could be

handled smoothly and efficiently Extra• improve the traceability for testing, model checking and

debugging.• Refinement checking to ensure consistency (different dev

phases or branches)

Structure

Flow Control

• Statement• Branch• Loop• Block of Code•  • Return• Exception 

Flow Control

{...statement1;statement2;...}

if(cond) {//block 1}else {//block 2}

Block(..) =((tau{statement1;} -> Skip);((tau{statement1;} -> Skip);...));

if (cond) { Block_1(..)} else { Block_2(..) }

Flow Control

for(init; cond; increment) {//block 1}

For_1(..) =    Block_1();    increment;    if(Cond) {For_1(..)}     else {Skip};

...init;if(cond) For_1(...);...

State Representation

• Classes and Objectso Fields remaino Methods: Based on defined atomicity 

State Representation

class Philosopher{

int name;Fork left;Fork right;

}

class Philosopher : ExpressionValue{public int name;public int Get_name()             {return name; }public void Set_name(int val)                {name = val; }public int left;public int Get_left() {return left; }public void Set_left(int val)             {left = val; }...

State Representation

public class Memory : ExpressionValue{...     public int Philosopher_Get_name(int obj) {             return philosopherList.GetObj(obj).Get_name();         }public void Philosopher_Set_name(int obj, int val) {            philosopherList.GetObj(obj).Set_name(val);         }public int Philosopher_Get_left(int obj) {            return philosopherList.GetObj(obj).Get_left();         }public void Philosopher_Set_left(int obj, int val) {            PhilosopherList.GetObj(obj).Set_left(val);         }...}

Thread Management

CreateNewThread() =     create_thread?ti.pid.obj -> NewThread(ti, pid, obj);

NewThread(ti, pid, obj) =case {(ti == 1) : Philosopher_run(pid, obj)default: Skip} || CreateNewThread();

Sys() = Main() || CreateNewThread();

Thread Management

...//originThread newThread = new Thread(new ThreadStart(run));newThread.Start();...

...//translated((create_thread!1.pid.objx -> Skip);(atomic {tau{cpid++} -> Philosopher_run_chan_in!cpid.objx -> Skip};...

Philosopher_run() =(Philosopher_run_chan_in?pid.obj -> ...

Lock

Fork_Lock(pid, obj) =[0 == memory.Fork_Get_LOCK(obj)]((tau{ memory.Fork_Set_LOCK(obj, pid); } -> Skip));

Fork_Unlock(pid, obj) =assert(memory.Fork_Get_LOCK(obj) == pid);((tau{ memory.Fork_Set_LOCK(obj, 0); } -> Skip));

Lock

(Fork_Lock(pid, memory.Philosopher_Get_left(obj));(Fork_Lock(pid, memory.Philosopher_Get_right(obj));...(Fork_Unlock(pid, memory.Philosopher_Get_right(obj));(Fork_Unlock(pid, memory.Philosopher_Get_left(obj))

lock (left) {  lock (right) {    // eat!  }}

Parameter Pass and Local Variable

//origin

public Philosopher (Fork le, Fork ri, int na){left = le;right = ri;name = na;...}

Parameter Pass and Local Variable

//translated version 1

Philosopher_CreateObj() =(Philosopher_CreateObj_chan_in?pid.le.ri.na -> ((tau{ memory.Philosopher_Set_le(le); } -> Skip);((tau{ memory.Philosopher_Set_ri(ri); } -> Skip);((tau{ memory.Philosopher_Set_na(na); } -> Skip);((tau{ objx = memory.Philosopher_CreateObj(); } -> Skip);((tau{ memory.Philosopher_Set_left(objx, memory.Philosopher_Get_le()); } -> Skip);((tau{ memory.Philosopher_Set_right(objx, memory.Philosopher_Get_ri()); } -> Skip);((tau{ memory.Philosopher_Set_name(objx, memory.Philosopher_Get_na()); } -> Skip);...))))))))));

Parameter Pass and Local Variable

//translated version 2

Philosopher_CreateObj() =(Philosopher_CreateObj_chan_in?pid.le.ri.na -> ((tau{ objx = memory.Philosopher_CreateObj(); } -> Skip);((tau{ memory.Philosopher_Set_left(objx, le); } -> Skip);((tau{ memory.Philosopher_Set_right(objx, ri); } -> Skip);((tau{ memory.Philosopher_Set_name(objx, na); } -> Skip);...))))))));

What's next

• Exception handling• Atomicity control

Thank You!

Reference

[1]  J. Sun, Y. Liu, J. S. Dong, and J. Pang, “PAT: towardsflexible verification under fairness,” in Proceedings of the 21thInternational Conference on Computer Aided Verification(CAV’09). [2]  K. Havelund and T. Pressburger, “Model checking javaprograms using java pathfinder,” International Journal onSoftware Tools for Technology Transfer (STTT), vol. 2, no. 4,pp. 366 – 381, 2000.

[3]  Wendi Zhah,  Yet Another Model Checker for PROMELA, to be appear..