upgrades-savcbs2004 - Formalizing Lightweight Verication of...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Formalizing Lightweight Verification of Software Component Composition Stephen McCamant Michael D. Ernst MIT Computer Science and Artificial Intelligence Laboratory 32 Vassar Street Cambridge, MA 02139 USA smcc@csail.mit.edu, mernst@csail.mit.edu ABSTRACT Software errors often occur at the interfaces between separately developed components. Incompatibilities are an especially acute problem when upgrading software components, as new versions may be accidentally incompatible with old ones. As an inexpensive mechanism to detect many such problems, previous work proposed a technique that adapts methods from formal verification to use component abstractions that can be automatically generated from implementations. The technique reports, before performing the re- placement or integrating the new component into a system, whether the upgrade might be problematic for that particular system. The technique is based on a rich model of components that support in- ternal state, callbacks, and simultaneous upgrades of multiple com- ponents, and component abstractions may contain arbitrary logical properties including unbounded-state ones. This paper motivates this (somewhat non-standard) approach to component verification. The paper also refines the formal model of components, provides a formal model of software system safety, gives an algorithm for constructing a consistency condition, proves that the algorithm’s result guarantees system safety in the case of a single-component upgrade, and gives a proof outline of the algo- rithm’s correctness in the case of an arbitrary upgrade. 1. INTRODUCTION Previous work [12, 13] introduced a technique that seeks to iden- tify unanticipated interactions among software components, before the components are actually integrated with one another. The tech- nique compares the observed behavior of an old component to the observed behavior of a new component; it permits the upgrade only if the behaviors are compatible, for the way that the component is used in an application. The technique issues a warning when the behaviors of the new and old components are incompatible, but lack of such a warning is not a guarantee of correctness, nor is its presence a guarantee that the program’s operation would be incor- rect. The technique constructs operational abstractions , mathemat- ical statements syntactically similar to specifications that describe a component’s behavior and its expectations about the behavior of other components. For a given system of components, the tech- nique constructs a consistency condition that relates the expecta- tions of one module to how they might be satisfied by the behav- iors of others. This combination of the abstractions according to the consistency condition is then passed to an automatic theorem prover (our prototype uses Simplify [4]), and the upgrade is ap- proved only if the consistency condition is verified to hold. We have used our implementation to find behavioral inconsistencies in large software systems — for instance, differences between ver-
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 8

upgrades-savcbs2004 - Formalizing Lightweight Verication of...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online