Bandera: Extracting Finitestate Models from Java Source Code

1
Bandera Extracting Finite-state Models from Java
Source Code

• James C. Corbett (Hawaii)
• Matthew B. Dwyer, John Hatcliff, Shawn Laubach,
  Corina S. Pasareanu, Robby, Hongjun Zheng (KSU)
• Presented by Christian Almazan
• 18 November 2003 (CMSC 631)

2
Model Checking in One Slide
Verified

• Model Checker
• SPIN
• dSPIN
• SMV

Finite-State Model
Counter-Example

• Temporal Logic Formula
• Linear Temporal Logic (LTL)
• Computation Tree Logic (CTL)

• Automatic specification verification
• Covers all possible paths in the model
• Popular in hardware and protocol verification

3
Difficulty in BringingModel Checking to Software

• State-Explosion Problem
• States increase exponentially as program size
  grows
• Model Construction Problem
• Development in a general-purpose language
• Verification tools use an specification language
• Requirement Specification Problem
• Specification languages tend to be mathematical
• Hard to use, read, debug, very lengthy
• Output Interpretation Problem
• Counter-example long and complex
• Hard to map directly to source code

4
Problems in Previous Efforts

• Monolithic Approach
• Model checker for a specific language (Erlang)
• Difficult to place newer model checking
  techniques
• Source Code ? Verifier Input Language
• Translates program directly from source code
• JCAT or Java PathFinder to PROMELA for SPIN
• Program Size Increases Exponential State Growth
• Combined Problems
• Keeps developers tied to one technology
• Limited support for control and data abstraction

5
Overcoming Obstacles Bandera

• Use proven model checkers
• SPIN, dSPIN, Java PathFinder
• Automated transformations
• Compacting number of states
• Use individual models for each property
• Design for extensibility
• Build individual components
• Create a friendly environment
• Familiar, uniform, specifications easy to learn
• Leveraged for testing, debugging, and simulation

6
Bandera Components
7
Program Infrastructure

• Built on top of the Soot compiler framework
• Uses control-flow graph language Jimple
• Language used by all middleware components
• Java-to-Jimple-to-Java Compiler (JJJC)
• Easily use internal tools and return Java code
• Allows model checker counter-examples to be
  mapped back into original Java source code

8
Property Specification

• Bandera Specification Language (BSL)
• Collection of temporal specification patterns in
  English
• Parameterized macros ? LTL or CTL
• Defined in source code directly using Javadoc
• Not mathematical like LTL or CTL

9
Bounded Buffer Specification

• If a buffer becomes full, it will eventually
  become non-full.
• /
• _at_observable
• EXP Full(this) (head tail)
• FullToNonFull forallbBoundedBuffer
• !Full(b) responds to Full(b)
  globally
• /
• class BoundedBuffer
• ...

10
Static Analysis

• Bandera Object Flow Analysis (BOFA)
• Optimizations data/control analysis
• Statically collects information about objects
  that may flow into each program expression at
  runtime
• Associates a set of tokens t1, , tn for a
  particular expression e.
• ti is a pair (C,s) C is a class name and s is
  where object is created
• Similar to points to analysis for imperative
  languages and closure analysis used for
  functional programming languages

11
Slicing
In Property
Relevant

• Given program P and slicing criterion ? based on
  the observables in the specification
• Does program dependence-based slicing to get a
  reduced version of P
• dependences data, control, interference, ready,
  wait
• backwards slicing
• Effectiveness based on structure of program

12
Abstract Interpretation

• Further reductions through data abstraction
• Useful when specification does not need concrete
  values, but only properties of values
• Developers aid abstraction libraries Bandera
  Abstraction Specification Library (BASL)
• Utilizes the PVS theorem prover
• Examples
• integers to signs positive, zero, negative
• vector items ItemInVector, ItemNotInVector

13
Back End Model Generation

• Bandera Intermediate Representation language
  (BIR)
• Jimple-BIR BIR Constructor
• Used between Bandera components and model checker
  input languages
• Model checker writers only need to write a
  translator from BIR to their input language
• BIR contains higher-level constructs to model
  Java code more efficiently
• locks, threads, references, heap

14
Bandera Components
15
Using Bandera

• Launch the Bandera User Interface (BUI) from the
  command line
• Future runs save which components you want to
  use in session files

16
Counter-Example Overview

• Counter-example with a thousand states?!?!
• Bandera provides debugger-like features
• map states to source code
• program tracing
• create checkpoints
• keep track of variables and objects
• UML-like object displays
• lock graphs

17
Counter-ExampleProgram Tracing
18
Counter-ExampleLock Graph
19
Counter-ExampleObject Viewer
20
Mandatory Performance Slide
Threaded Pipeline b basic d defective
variant r response property p precedence
property n no reductions s slicing a slicing
data abstraction
21
When to Use Model Checking

• Control-related properties
• assertions
• pre- and post-conditions
• simple data invariants
• Container objects
• stacks
• queues
• Verifying concurrent behavior
• Necessity for counter-examples
• Automatic property verification of source code

22
Analysis Not Appropriate for Model Checking

• Data-related properties
• Verification of sorting algorithms
• Use other formal methods instead (theorem
  proving)
• Where static dataflow analysis is better
• array-bounds errors
• buffer overruns
• null-pointer de-referencing

23
The Future of Bandera

• Bandera 0.3b2 Summer 2003
• Bandera 1.0 Summer 2004
• No more command line startup
• Collection of plug-ins for the Eclipse IDE
• All features re-deigned, re-implemented, re-done
• Future of Model Checking? Bogor (KSU)
• Forget supporting other model checkers in Bandera
• Bogor is a big step in model checking?

24
Links and Related Work

• Try Me!
• http//bandera.projects.cis.ksu.edu/
• Visit Citeseer for abstraction and slicing papers
• Model Checkers SPIN, dSPIN, JPF
• Source Code Translators JPF, JCAT
• Many More! Use Google!

25
Questions?

• Learn anything from this talk or the class?
• Would you use model checking? If so, when?
• Do you like the push for the original Bandera?
• Using only Eclipse a good idea?
• Why stop supporting other model checkers?
• Support their own tool Bogor?
• Too time consuming writing BIR translators?
• A dream writing BIR, universal language?