Modelchecking Concurrent Java Software Using the Bandera Tool Set

1
Model-checking Concurrent Java Software Using
the Bandera Tool Set
(http//www.cis.ksu.edu/santos/bandera)
Faculty
Students and Post-docs

• Matthew Dwyer
• John Hatcliff

Radu Iosif Hongjun Zheng Shawn Laubach Corina
Pasareanu
Robby Roby Joehanes Venkatesh Ranganath Oksana
Tkachuk
Funding
US National Science Foundation (NSF) US National
Aeronautics and Space Agency (NASA) US Department
of Defense Advanced Research Projects
Agency (DARPA) US Army Research Office
Rockwell-Collins ATC Honeywell Technology Center
and NASA Langley Sun Microsystems
2
Goals of the Project
I. Provide platform for construction of and
experimentation with technologies for
model-checking concurrent Java software
model-reduction techniquese.g., abstraction,
slicing, compiler-based optimizations
model-checking enginese.g., explicit-state,
symbolic
property specification languagese.g., temp
logic, state machines
II. Integration with commonly used design
notations, methods, and processes
UML artifacts, JMLe.g., checking, specification
integration with developmentand certification
of safety-criticalsystems.
automatic generation of synchronization code
with dedicated checking
III. Evaluation using safety-critical military
and civilian applications as well as non-critical
popular open-source software
3
Model Checking
OK
Finite-state model
or
Model Checker
(F W)
Temporal logic formula
4
What makes model-checking software difficult?
Problems using existing checkers

• Model construction

• State explosion

• Property specification

• Output interpretation

5
Model Construction Problem
void add(Object o) bufferhead o head
(head1)size Object take()
tail(tail1)size return buffertail
Model Checker
Program
Model Description

• Semantic gap

Programming Languages
methods, inheritance, dynamic creation,
exceptions, etc.
Model Description Languages
automata
6
What makes model-checking software difficult?
Problems using existing checkers

• Model construction

• State explosion

• Property specification

• Output interpretation

7
Property Specification Problem

• Difficult to formalize a requirement in temporal
  logic

Between the window open and the window close,
button X can be pushed at most twice.
is rendered in LTL as...
((open /\ ltgtclose) -gt ((!pushX /\ !close) U
(close \/ ((pushX /\ !close) U (close \/
((!pushX /\ !close) U (close \/ ((pushX
/\ !close) U (close \/ (!pushX U
close))))))))))
8
Property Specification Problem
Forced to state property in terms of model rather
than source

• We want to write source level specifications...

Heap.b.head Heap.b.tail

• We are forced to write model level
  specifications...

(((_collect(heap_b) 1)\
(BoundedBuffer_col.instance_index(heap _b).head
BoundedBuffer_col.instance_inde
x(heap _b).tail) )\ ((_collect(heap _b)
3)\ (BoundedBuffer_col_0.instance_index(
heap _b).head
BoundedBuffer_col_0.instance_index(heap
_b).tail) )\ ((_collect(heap _b) 0)
TRAP))
9
Property Specification Problem
Consider multiple instances of a bounded buffer
class...
Requirement
If a buffer instance becomes full, it will
eventually become non-full.
In general, a heap object has no program-level
name that persists throughout the lifetime of the
object.
10
What makes model-checking software difficult?
Problems using existing checkers

• Model construction

• State explosion

• Property specification

• Output interpretation

11
State Explosion Problem

• Cost is exponential in the number of components

• Moores law and algorithm advances can help
• Holzmann 7 days (1980) gt 7 seconds (2000)
• Explosive state growth in software limits
  scalability

12
What makes model-checking software difficult?
Problems using existing checkers

• Model construction

• State explosion

• Property specification

• Output interpretation

13
Output Interpretation Problem
void add(Object o) bufferhead o head
(head1)size Object take()
tail(tail1)size return buffertail
Model Description
Program

• Raw error trace may be 1000s of steps long

• Must map line listing onto model description

• Mapping to source is made difficult by

• Semantic gap clever encodings of complex
  features
• multiple optimizations and transformations

14
BanderaAn open tool set for model-checking Java
source code
15
Addressing the Model Construction Problem

• Numerous analyses, optimizations,two
  intermediate languages, multiple back-ends
• Slicing, abstract interpretation, specialization
• Variety of usage modes simple...highly tuned

16
Addressing the Property Specification Problem
An extensible language based on field-tested
temporal property specification patterns
((open /\ ltgtclose) -gt ((!pushX /\ !close) U
(close \/ ((pushX /\ !close) U (close \/
((!pushX /\ !close) U (close \/ ((pushX
/\ !close) U (close \/ (!pushX U
close))))))))))
17
Addressing the State Explosion Problem
void add(Object o) bufferhead o head
(head1)size
Java Source
Model Descriptions
Model Compiler

• Aggressive customization via slicing, abstract
  interpretation, program specialization

18
Addressing the Output Interpretation Problem
Model Description
Intermediate Representations
Model Checker
Model Compiler
Error trace

• Run error traces forwards and backwards
• Program state queried
• Heap structures navigated
• Locks, wait sets, blocked sets displayed

19
Bandera Architecture
20
Bounded Buffer
class BoundedBuffer Object buffer int
head / next available slot / int tail
/ last available slot / int bound / max
of elements / public BoundedBuffer(int b)
public synchronized boolean isEmpty()
public synchronized void add(Object o)
public synchronized Object take ()

Add,Add
Add,Take,Take
21
Property Specification
/ observable EXP Full (head
tail) / class BoundedBuffer Object
buffer int head, tail, bound public
synchronized void add(Object o)
public synchronized Object take ()
22
Property Specification
/ _at_observable EXP Empty head
((tail1) bound) /
Requirement 3
Empty buffers must added to before being taken
from
class BoundedBuffer int head, tail, bound
public synchronized void add(Object o)
public synchronized Object take ()

/ _at_observable INVOKE Call /

/ _at_observable RETURN Return /
forallbBoundedBuffer.
23
Front End
public synchronized void add(Object o)
while ( tail head ) try wait() catch
(InterruptedException ex) bufferhead
o head (head1) bound notifyAll()
Java
24
Property-directed Slicing
Source program

• slicing criterion generated automatically from
  observables mentioned in the property

• backwards slicing automatically finds all
  components that might influence the observables.

25
Property-directed Slicing
/ _at_observable EXP Full (head tail)
/ class BoundedBuffer Object buffer_
int bound int head, tail public
synchronized void add(Object o) while (
tail head ) try wait() catch (
InterruptedException ex) buffer_head
o head (head1) bound notifyAll()
...
26
Abstraction Engine
Collapses data domains via abstract
interpretation
Data domains
Code
int x 0 if (x 0) x x 1
27
Abstraction Component Functionality
x
int
Signs
y
int
Signs
Signs
done
bool
Bool
Abstraction Library
count
int
intAbs
.
.
o
Object
Point
b
Buffer
Buffer
28
Abstraction Specification
abstraction Signs abstracts int begin TOKENS
NEG, ZERO, POS abstract(n) begin
n lt 0 -gt NEG n 0 -gt
ZERO n gt 0 -gt POS end
operator add begin (NEG , NEG) -gt NEG
(NEG , ZERO) -gt NEG (ZERO, NEG) -gt
NEG (ZERO, ZERO) -gt ZERO (ZERO,
POS) -gt POS (POS , ZERO) -gt POS
(POS , POS) -gt POS (_,_)-gt NEG, ZERO,
POS / case (POS,NEG), (NEG,POS) / end
public class Signs public static final int
NEG 0 // mask 1 public static final int
ZERO 1 // mask 2 public static final int POS
2 // mask 4 public static int
abstract(int n) if (n lt 0) return NEG
if (n 0) return ZERO if (n gt 0) return
POS public static int add(int arg1, int
arg2) if (arg1NEG arg2NEG) return
NEG if (arg1NEG arg2ZERO) return
NEG if (arg1ZERO arg2NEG) return
NEG if (arg1ZERO arg2ZERO) return
ZERO if (arg1ZERO arg2POS) return
POS if (arg1POS arg2ZERO) return
POS if (arg1POS arg2POS) return
POS return Bandera.choose(7) / case
(POS,NEG), (NEG,POS) /
29
Specification Creation Tools
abstraction Signs abstracts int begin TOKENS
NEG, ZERO, POS abstract(n) begin
n lt 0 -gt NEG n 0 -gt
ZERO n gt 0 -gt POS end
operator add begin (NEG , NEG) -gt NEG
(NEG , ZERO) -gt NEG (ZERO, NEG) -gt
NEG (ZERO, ZERO) -gt ZERO (ZERO,
POS) -gt POS (POS , ZERO) -gt POS
(POS , POS) -gt POS (_,_)-gt NEG, ZERO,
POS end
30
Bounded Buffer BIR
State Declarations
process BoundedB() BoundedBuffer_rec
record bound range -1..4
head range -1..4 tail range
-1..4 BIRLock lock wait reentrant
BoundedBuffer_col collection
3 of BoundedBuffer_rec BoundedBuffer_col_0
collection 3 of BoundedBuffer_rec
BoundedBuffer_ref ref
BoundedBuffer_col, BoundedBuffer_col_0

31
Abstraction Assessment

• Abstraction library and other abstraction
  facilities ICSE01
• Automated but not completely automatic
• Generating abstract programs is completely
  automatic, but selection of abstractions is not
• Not automatic for a good reason
• Pervasive use of dynamically allocated data and
  threads in Java means that it is very difficult
  to apply existing automatic refinement techniques
• Local predicate abstraction automates the most
  tedious aspects of abstraction definition
• Abstract type inference makes the approach
  practical
• Modified search bounded by non-deterministic
  choice

32
Bounded Buffer BIR
Guarded Transitions
loc s34 live b2, b1, T_0, T_6, T_8
when true do invisible T_8 (T_6
T_8) goto s35 loc s36 live b2,
b1, T_0 when true do
notifyAll(T_0.BIRLock) goto s37 loc
s37 live b2, b1, T_0 when true do
unlock(T_0.BIRLock) goto s38
33
Bounded Buffer Promela
typedef BoundedBuffer_rec type_8
bound type_8 head
type_8 tail type_18 BIRLock
loc_25 atomic printf("BIR 25
0 1 OK\n") if (_collect(T_0)
1) -gt T_8 BoundedBuffer_col.
instance_index(T_0).tail
(_collect(T_0) 2) -gt T_8
BoundedBuffer_col_0.
instance_index(T_0).tail else -gt
printf("BIR 25 0 1 NullPointerException\n
") assert(0) fi goto loc_26
34
Whats New

• Full integration with JPF(now with temporal
  properties)
• Extended Bandera Specification Language
• Parameter-passing to predicates
• Support for Java interfaces
• Quantification over container objects
• BIR Back-end developers kit
• Support for environment generation
• Enhanced counter-example display
• Watch variables, break-points, etc.
• Different view levels

35
Whats New

• Significant extensions of BIR Back-end (dynamic
  creation of threads, recursive methods,
  user-thrown exceptions)
• Significant extensions to abstraction facilities
• UML state-chart specification/checking

36
Summary

• Bandera provides an open platform for
  experimentation
• Designed for extensibility
• well-defined internal representations and
  interfaces
• We hope this will contribute to the definition of
  APIs for software model-checkers
• Large tutorial, examples, and other documentation
  on web-site
• Over 100 registered users so far
• Incorporation of other complementary tools such
  as SyncGen
• External users often frustrated due to number of
  different concepts in the tool kit and full
  language not yet supported. We are working to
  overcome these.
• Ongoing experiments focusing on avionics software
  with industrial partners, and various open-source
  software

37
See me later for a
Demo
or check out
http//www.cis.ksu.edu/santos/bandera
http//www.cis.ksu.edu/saves/syncgen