| 1 | \part{Tools}
|
|---|
| 2 | \label{part:tools}
|
|---|
| 3 |
|
|---|
| 4 | \chapter{Introduction}
|
|---|
| 5 |
|
|---|
| 6 | \section{Symbolic execution}
|
|---|
| 7 |
|
|---|
| 8 | The tools currently in the CIVL tool kit all use \emph{symbolic
|
|---|
| 9 | execution}. This is a technique in which variables are assigned
|
|---|
| 10 | symbolic rather than concrete values. In particular, input variables
|
|---|
| 11 | are assigned unique \emph{symbolic constants}, which are symbols such
|
|---|
| 12 | as $X$, $Y$, and so on. Operations produce symbolic expressions in
|
|---|
| 13 | those symbols, such as $(X+Y)/2$.
|
|---|
| 14 |
|
|---|
| 15 | \section{Commands}
|
|---|
| 16 |
|
|---|
| 17 | Current tools allow one to \emph{run} a CIVL program using random
|
|---|
| 18 | choice to resolve nondeterministic choices; \emph{verify} a program
|
|---|
| 19 | using model checking to explore all states of the program; and
|
|---|
| 20 | \emph{replay} a trace if an error is found. There are also commands
|
|---|
| 21 | to show the results just of preprocessing or parsing a file; as these
|
|---|
| 22 | are basically sub-tasks of the other tasks, they are used mainly for
|
|---|
| 23 | debugging.
|
|---|
| 24 |
|
|---|
| 25 | Each tool is launched from the command line by typing ``\texttt{civl}
|
|---|
| 26 | \textit{cmd} \ldots'', where \textit{cmd} is one of
|
|---|
| 27 | \begin{itemize}
|
|---|
| 28 | \item \ct{help} : print usage information
|
|---|
| 29 | \item \ct{run} : run the program using random simulation
|
|---|
| 30 | \item \ct{verify} : verify program
|
|---|
| 31 | \item \ct{replay} : replay trace for program
|
|---|
| 32 | \item \ct{parse} : show result of preprocessing and parsing file
|
|---|
| 33 | \item \ct{preprocess} : show result of preprocessing file only.
|
|---|
| 34 | \end{itemize}
|
|---|
| 35 | The additional arguments and options are described below and are also
|
|---|
| 36 | shown by the \ct{help} command.
|
|---|
| 37 |
|
|---|
| 38 | A number of properties are checked when running or verifying
|
|---|
| 39 | a CIVL program. These include the following:
|
|---|
| 40 | \begin{itemize}
|
|---|
| 41 | \item absence of deadlocks
|
|---|
| 42 | \item absence of assertion violations
|
|---|
| 43 | \item absence of division or modulus with denominator $0$
|
|---|
| 44 | \item absence of illegal pointer dereferences
|
|---|
| 45 | \item absence of out-of-bounds array indexes
|
|---|
| 46 | \item absence of invalid casts
|
|---|
| 47 | \item every object is defined (i.e., initialized) before
|
|---|
| 48 | it is used.
|
|---|
| 49 | \end{itemize}
|
|---|
| 50 |
|
|---|
| 51 |
|
|---|
| 52 | \section{Options}
|
|---|
| 53 |
|
|---|
| 54 | The following command line options are available:
|
|---|
| 55 |
|
|---|
| 56 | \newenvironment{optionlist}{\begin{flushleft}}{\end{flushleft}}
|
|---|
| 57 | \newcommand{\option}[2]{#1\\[0mm]\makebox[5mm]{}#2\\[3mm]}
|
|---|
| 58 | \newcommand{\booloption}[3]{\option{\ct{-#1} or \ct{-#1=}\textit{boolean}
|
|---|
| 59 | (default: \ct{#2})}{#3}}
|
|---|
| 60 | \newcommand{\intoption}[3]{\option{\ct{-#1=}\textit{integer}
|
|---|
| 61 | (default: \ct{#2})}{#3}}
|
|---|
| 62 | \newcommand{\mapoption}[2]{\option{\ct{-#1}\textit{key}\ct{=}\textit{value}}{#2}}
|
|---|
| 63 | \newcommand{\stringoption}[3]{\option{\ct{-#1=}\textit{string}
|
|---|
| 64 | (default: \ct{#2})}{#3}}
|
|---|
| 65 |
|
|---|
| 66 | \begin{optionlist}
|
|---|
| 67 | \booloption{debug}{false}{debug mode: print very detailed information}
|
|---|
| 68 | \booloption{echo}{false}{print the command line}
|
|---|
| 69 | \intoption{errorBound}{1}{stop after finding this many errors}
|
|---|
| 70 | \booloption{guided}{false}{user guided simulation; applies only to
|
|---|
| 71 | run, ignored for all other commands}
|
|---|
| 72 | \intoption{id}{0}{ID number of trace to replay}
|
|---|
| 73 | \mapoption{input}{initialize input variable \textit{key} to
|
|---|
| 74 | \textit{value}}
|
|---|
| 75 | \intoption{maxdepth}{2147483647}{bound on search depth}
|
|---|
| 76 | \booloption{min}{false}{search for minimal counterexample}
|
|---|
| 77 | \stringoption{por}{std}{partial order reduction (por) choices:
|
|---|
| 78 | std (standard por) or scp (scoped por)}
|
|---|
| 79 | \booloption{random}{varies}{select enabled transitions randomly;
|
|---|
| 80 | default for \texttt{run}, ignored for all other commands}
|
|---|
| 81 | \booloption{saveStates}{true}{save states during depth-first search}
|
|---|
| 82 | \stringoption{seed}{none}{set the random seed; applies only to run}
|
|---|
| 83 | \booloption{showModel}{false}{print the model}
|
|---|
| 84 | \booloption{showProverQueries}{false}{print theorem prover queries
|
|---|
| 85 | only}
|
|---|
| 86 | \booloption{showQueries}{false}{print all queries}
|
|---|
| 87 | \booloption{showSavedStates}{false}{print saved states only}
|
|---|
| 88 | \booloption{showStates}{false}{print all states}
|
|---|
| 89 | \booloption{showTransitions}{false}{print transitions}
|
|---|
| 90 | \booloption{simplify}{true}{simplify states?}
|
|---|
| 91 | \booloption{solve}{false}{try to solve for concrete counterexample}
|
|---|
| 92 | \stringoption{sysIncludePath}{}{set the system include path}
|
|---|
| 93 | \stringoption{trace}{}{filename of trace to replay}
|
|---|
| 94 | \stringoption{userIncludePath}{}{set the user include path}
|
|---|
| 95 | \booloption{verbose}{false}{verbose mode}
|
|---|
| 96 | \end{optionlist}
|
|---|
| 97 |
|
|---|
| 98 | \chapter{Transitions}
|
|---|
| 99 |
|
|---|
| 100 | In CIVL, a transition stands for the execution of a number of
|
|---|
| 101 | statements of a certain process from one state, and the execution of
|
|---|
| 102 | each statement is considered as one step. A transition has the
|
|---|
| 103 | following form in the output, where sid and sid' are the identifiers
|
|---|
| 104 | for the source and the target states, pid is the identifier of the
|
|---|
| 105 | process that this transition belongs to, and step 0,1 ... are the
|
|---|
| 106 | steps contained in the transitions.
|
|---|
| 107 |
|
|---|
| 108 | \begin{verbatim}
|
|---|
| 109 | State sid, proc pid:
|
|---|
| 110 | step 0;
|
|---|
| 111 | step 1;
|
|---|
| 112 | ...
|
|---|
| 113 | --> State sid'
|
|---|
| 114 | \end{verbatim}
|
|---|
| 115 |
|
|---|
| 116 | A step of a transition has the following form in the CIVL output,
|
|---|
| 117 | where src and dst is the source and destination location of the
|
|---|
| 118 | statement executed in the step, file is the file that contains the
|
|---|
| 119 | source code of the statement, location and text are the location and
|
|---|
| 120 | summary of text of the statement in the source file.
|
|---|
| 121 |
|
|---|
| 122 | \begin{verbatim}
|
|---|
| 123 | src->dst: statement at file:location "text";
|
|---|
| 124 | \end{verbatim}
|
|---|
| 125 |
|
|---|
| 126 | For example, the following is a transition from state 0 to state 1,
|
|---|
| 127 | containing 6 steps. File names are renamed with short names and the
|
|---|
| 128 | mapping of short names and the original files is presented in output
|
|---|
| 129 | as well.
|
|---|
| 130 |
|
|---|
| 131 | \begin{verbatim}
|
|---|
| 132 | File name list:
|
|---|
| 133 | f0 : atomicBlockedResume.cvl
|
|---|
| 134 |
|
|---|
| 135 | State 0, proc 0:
|
|---|
| 136 | 0->1: x = 1 at f0:3.0-9 "int x = 1";
|
|---|
| 137 | 1->2: y = 0 at f0:4.0-9 "int y = 0";
|
|---|
| 138 | 2->3: z = 0 at f0:5.0-9 "int z = 0";
|
|---|
| 139 | 3->6: sum = 0 at f0:6.0-11 "int sum = 0";
|
|---|
| 140 | 6->8: $spawn foo(1) at f0:22.4-17 "$spawn foo(1)";
|
|---|
| 141 | 8->10: $spawn foo(2) at f0:23.4-17 "$spawn foo(2)";
|
|---|
| 142 | --> State 1
|
|---|
| 143 | \end{verbatim}
|
|---|
| 144 |
|
|---|
| 145 | To make use of this feature, one needs to specify the option
|
|---|
| 146 | \texttt{-showTransitions} when running CIVL.
|
|---|
| 147 |
|
|---|