Specifying Temporal Properties of Software Using the Bandera Specification Language

1
Specifying Temporal Properties of Software Using
the Bandera Specification Language
U. Hawaii Kansas State Kansas State Kansas
State

• James Corbett
• Matthew Dwyer
• John Hatcliff
• Robby

http//www.cis.ksu.edu/santos/bandera
2
BanderaAn open tool set for model-checking Java
source code
Slicing
Temporal Specification
Abstract Interpretation
Static Analysis
3
Property Specification Problem

• Difficult to formalize a requirement in temporal
  logic

Between the key being inserted and the key being
removed, the ignition can be activated at most
twice.
is rendered in LTL as...
((keyIn /\ ltgtkeyRem) -gt ((!activate /\
!keyRem) U (keyRem \/ ((activate /\ !keyRem)
U (keyRem \/ ((!activate /\ !keyRem) U
(keyRem \/ ((activate /\ !keyRem) U
(keyRem \/ (!activate U keyRem))))))))))
4
Issue Checker Dependence
Checker Inputs
LTL
LTL
Temporal Specification
Model Checkers
Spin
5
Issue Representation Dependence

• Sources representation

Heap.b.head Heap.b.tail

• Models representation

(((_collect(heap_b) 1)\
(BoundedBuffer_col.instance_index(heap _b).head
BoundedBuffer_col.instance_inde
x(heap _b).tail) )\ ((_collect(heap _b)
3)\ (BoundedBuffer_col_0.instance_index(
heap _b).head
BoundedBuffer_col_0.instance_index(heap
_b).tail) )\ ((_collect(heap _b) 0)
TRAP))
6
Issue Naming Heap-allocated Objects
Consider multiple instances of a bounded buffer
class...
Requirement
If a buffer instance becomes full, it will
eventually become non-full.
In general, a heap object has no program-level
name that persists throughout the lifetime of the
object.
7
BSL Bandera Specification Language

• Propositions stated in terms of source code
  features

• Temporal relationships are expressed using
  field-tested specification patterns

• Heap objects are named via object quantification

Assertion Property Specification (selective
enabling)
Temporal Property Specification (via pattern
language)
Assertion Definition
Predicate Definition
8
Bounded Buffer
class BoundedBuffer Object buffer int
head / next available slot / int tail
/ last available slot / int bound / max
of elements / public BoundedBuffer(int b)
public synchronized boolean isEmpty()
public synchronized void add(Object o)
public synchronized Object take ()

Add,Add
Add,Take,Take
9
Bounded Buffer
public synchronized void add(Object o)
while ( tail head ) try wait()
catch (InterruptedException ex)
buffer_head o head (head1) bound
notifyAll() public synchronized Object
take() while (head ((tail1) bound))
try wait() catch
(InterruptedException ex) tail (tail1)
bound notifyAll() return
buffer_tail
10
Bounded Buffer Properties

• Buffers are constructed with positive bounds
• Full buffers eventually become non-full
• Empty buffers must be added to before being taken
  from
• Indices always stay in range
• Elements are always added in correct position

11
Reminder --- Language Structure
Assertion Property Specification (selective
enabling)
Temporal Property Specification (via pattern
language)
Assertion Definition
Predicate Definition
12
Assertion Forms
class MyClass int count 0 /
_at_assert PRE foo (I gt 5) POST bar
(count gt 10) LOCATIONhere checka
(m.q.a 4) / public mymethod(int
I) here
13
Assertion Checking
Requirement
/ _at_assert PRE PositiveBound (b
gt 0) /
Buffers are constructed with positive bounds
public BoundedBuffer(int b) bound b
buffer new Objectbound head 0 tail
bound-1
14
Predicate Forms
15
Pattern Hierarchy
(Dwyer, Avrunin, Corbett, ICSE99)
Property Patterns
Occurrence
Order
Absence
Bounded Existence
Chain Response
Precedence
Universality
Existence
Chain Precedence
Response
16
Property Specification
/ _at_observable EXP Full (head
tail) /
class BoundedBuffer Object
buffer int head, tail, bound
public synchronized void add(Object o)
public synchronized Object take ()

forallbBoundedBuffer.
17
Property Specification
/ _at_observable EXP Empty head
((tail1) bound) /
Requirement
Empty buffers must added to before being taken
from
class BoundedBuffer int head, tail, bound
public synchronized void add(Object o)
public synchronized Object take ()

/ _at_observable INVOKE Call /

/ _at_observable RETURN Return /
forallbBoundedBuffer.
18
Quantification

• forallbBoundedBuffer.P(b)

• Quantified set (set of Bounded Buffers) is not
  fixed!

• varies within executions

• varies across executions

• Solution

• by adding a state variable (for b) that will
  eventually be bound non-deterministically to each
  instance

• by enabling checking of the formula only when
  variable is bound to an instance

19
Quantification (Contd)
(!selected U (selected P(b))) !selected
!selected
(!selected
(selected P(b)))
!selected
1 new BoundedBuffer(n)
new BoundedBuffer(n)
1 selected
!selected
2 new BoundedBuffer(m)
new BoundedBuffer(m)
new BoundedBuffer(m)
!selected
2 selected
1 selected
new BoundedBuffer(k)
3 new BoundedBuffer(k)
new BoundedBuffer(k)
new BoundedBuffer(k)
1 selected
2 selected
3 selected
!selected
20
Quantification (Contd)
class heap public static BoundedBuffer
b class BoundedBuffer Object buffer
int head, tail, bound public
BoundedBuffer(int n) ... if (heap.b
null Bandera.choose())
heap.b this
class BoundedBuffer Object buffer int
head, tail, bound public
BoundedBuffer(int n) ...
21
Quantification (Contd)
forallbBoundedBuffer. Full(b) leads to
!Full(b) globally
(heap.b null U (heap.b ! null
((heap.b.head heap.b.tail) -gt
ltgt(heap.b.head ! heap.b.tail)))) (heap.b
null)
22
Next Steps Avionics Domain

• Case studies of avionics code leading to
  domain-specific patterns
• Working with Rockwell-Collins ATC as they
  developing FAA coding guidelines for using OO in
  avionics platforms (supplement to DO-178B)
• Contains various restrictions on patterns of use
• Ultimately, use model-checking results as
  evidence to help justify FAA certification

23
Next Steps Richer Specifications

• Integration of BSL with the Java Modeling
  Language (JML) developed by Gary Leavens at Iowa
  State.
• JML is also used as the specification language
  for
• ESC/Java (Compac)
• LOOP (Bart Jacobs)
• Compiles Java to PVS theories for complete
  verification of source code.
• In the long term, were interested in other forms
  of verification.

24
Next Steps Real-time Specifications

• Including notions of time in patterns

ltReadSensorgt responds to ltSensorInputgt within at
most ltKgt globally
where ltKgt is some number of time units
25
Next Steps Other Specification Forms

• Compiling UML statecharts into Banderas
  intermediate representation
• Support specification of source code properties
  via hierarchical state machines
• Incorporate refinement checking at various levels.

inspiration from Rajeev Alur et. al.
26
For more details
http//www.cis.ksu.edu/santos/bandera

• Public release of the tool set
• Tutorial with repository of simple examples
• Tutorial lecture slides
• Pattern web pages

27
Property Specification
/ _at_observable EXP HeadRange head gt
0 head lt bound Exp TailRange tail gt
0 tail lt bound /
Requirement
Indices always stay in range.
class BoundedBuffer Object buffer int
head, tail, bound public
synchronized void add(Object o)
public synchronized Object take ()
forallbBoundedBuffer.
28
Embedding Assertion
class BoundedBuffer Object buffer int
head, tail, bound public
BoundedBuffer(int n) public synchronized
void add(Object o)
/ _at_assertion PRE PosBound1 (n gt
0) /
public BoundedBuffer(int n) Bandera.assert(n
gt 0) ...
29
Bounded Buffer
public BoundedBuffer(int b) bound b
buffer new Objectbound head 0
tail bound-1 public synchronized
boolean isEmpty() return head ((tail1)
bound)
30
Test Result Assessments
Property Sliced Never-claim Stored

States
States BufferAssertions Yes - 17797 IndexRangeI
nv Yes 14 45215 IndexRangeInv,
BufferAssertions Yes 14
115387 FullToNonFull Yes 25 64687 FullToNonFull
, BufferAssertions Yes 25 154842
31
Semantic Issues
_at_assert PRE ltnamegt ltexpgt
IMPLICATION holds if ltexpgt is true WHEN control
is at entry of method (true otherwise)
_at_observable INVOKE ltnamegt ltexpgt
CONJUNCTION holds if ltexpgt is true AND control
is at entry of method
32
Methodology Property Specification

• Identify observables (propositions) in
  requirement
• Define propositions in source Java-doc comments
• Use GUI to select appropriate temporal pattern
  parameterized by declared observables
• Add quantification if property contains instance
  propositions.