Java pathfinder and model checking of programs
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

Java PathFinder and Model Checking of Programs PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Information Sciences & Technology. Java PathFinder and Model Checking of Programs. Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh, Corina Pasareanu, Charles Pecheur, John Penix, Willem Visser NASA Ames Research Center Automated Software Engineering Group.

Download Presentation

Java PathFinder and Model Checking of Programs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Java pathfinder and model checking of programs

Information Sciences & Technology

Java PathFinder andModel Checking of Programs

Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh, Corina Pasareanu, Charles Pecheur, John Penix, Willem Visser

NASA Ames Research Center

Automated Software Engineering Group

Matt Dwyer, John Hatcliff

Kansas State University

Department of Computing and Information Sciences

Alex Groce, Flavio Lerda

Carnegie Mellon University

School of Computer Science


Outline

Outline

  • Motivation

  • Model Checking and Testing

  • Java PathFinder

  • Program Model Checking


Motivation

Software bugs in space do not fly

Motivation

  • Software errors are expensive

    • Mars Polar Lander

    • Ariane 501


Model checking

OK

Finite-state model

or

Error trace

Model Checker

(F W)

Line 5: …

Line 12: …

Line 15:…

Line 21:…

Line 25:…

Line 27:…

Line 41:…

Line 47:…

Temporal logic formula

Model Checking

  • Verification and Validation are crucial

    • Model checking has been shown effective


The dream

void add(Object o) {

buffer[head] = o;

head = (head+1)%size;

}

Object take() {

tail=(tail+1)%size;

return buffer[tail];

}

OK

Program

or

Error trace

Model Checker

(F W)

Line 5: …

Line 12: …

Line 15:…

Line 21:…

Line 25:…

Line 27:…

Line 41:…

Line 47:…

Temporal logic formula

The dream

  • Model Check Programs


Some of the issues

void add(Object o) {

buffer[head] = o;

head = (head+1)%size;

}

Object take() {

tail=(tail+1)%size;

return buffer[tail];

}

Some of the Issues

  • Semantics Gap

    • Programming Languages

      vs.

      Modeling Languages

  • Complexity

  • Not Automated

Gap


Outline1

Outline

  • Motivation

  • Model Checking and Testing

  • Java PathFinder

  • Program Model Checking


Model checking and testing

Model Checking and Testing

  • Software complexity is too high

  • Some of the presented methods are not sound

  • This is not model checking anymore

  • It is “automated” testing


The assumption

The assumption

  • Programs have bugs

    • Knowing that there are doesn’t mean knowing where they are

  • Testing is not always effective

    • Requires a lot of knowledge of the system

  • Model checking can be used to find bugs systematically

    • If no bug is found we have a non-result


Coverage metrics

Coverage Metrics

  • Testing has coverage metrics

    • They tell you how good your testing is

    • They can be used to measure confidence

  • Testing is not very effective for concurrent systems

    • You don’t just have to guess the inputs but also the timing of the inputs and the scheduling

  • Model checking can address these issues

    • We are still missing metrics for concurrent programs


Bug hunting

Bug hunting

  • Bug hunting instead of trying to prove something correct

    • We can accept unsound methods

    • We may be able to handle real world examples

    • If we allow for modeling we are still not checking the correctness of the system itself


Outline2

Outline

  • Motivation

  • Model Checking and Testing

  • Java PathFinder

  • Program Model Checking


Model checking for java

Model

Checker

Special

JVM

Classes

Bytecode

State

Space

Model Checking for Java

  • Explicit State Model Checker

  • Java Bytecode as Input Language

  • Assertions, Deadlock Freedom,

    LTL Properties

  • Source Level Error Trace

  • Special JVM

    • Allows guided execution


Architecture

Architecture

Generic Verification Environment

Generic

C++

C

Search

Algorithms

(model checking,

testing)

Java

Special

JVM

Class

Loader

Storage

Subsystem

(hash table,

bitstate hashing)

Expression Evaluator


Outline3

Outline

  • Motivation

  • Model Checking and Testing

  • Java PathFinder

  • Program Model Checking


Programs are complex

Programs are complex

  • Enabling Technologies

    • Slicing

    • Abstractions

    • State Compression

    • Partial Order Reduction

    • Heuristic Search


Property directed slicing

indirectly

relevant

Slice

mentioned

in property

Source program

Resulting

slice

Property-directed Slicing

  • Slicing criterion automatically generated

  • Backwards slicing automatically finds dependencies


Abstractions

Abstractions

  • Remove behaviors but preserve errors

    • manual or partially automated

  • Over-approximation

    • Preserve correctness

    • Type-based abstractions

    • Predicate abstraction

    • Semi-automated


Jpf predicate abstraction

JPF Predicate Abstraction

  • Annotation used to indicate abstractions

  • Source-to-source translation

  • Java PathFinder can find abstract error traces

Abstract.remove(x);

Abstract.remove(y);

Abstract.addBoolean(“EQ”, x==y);


Choice bounded search

Choice-bounded Search

  • An abstract trace that does not contain any non-deterministic choice correspond to at least one concrete trace

  • Bias the model checker to look only choice-free traces


Storing the states

Thread

Object

Object

Class

Class

Stack Frame (Locals, Stack)

Fields/Methods

Fields/Methods

Fields/Methods

Fields/Methods

Stack Frame (Locals, Stack)

Stack Frame (Locals, Stack)

Thread

Stack Frame (Locals, Stack)

Stack Frame (Locals, Stack)

Storing the States

  • States are complex objects

    • Classes, Instances, Threads, Stack Frames

Classes

Threads

Objects


State compression

X11

Y27

Z75

T45

W11

X11

Y27

Z75

T45

W11

State Compression

  • Instructions modify only part of a state

  • Different states share common subparts

X = X + 1

X0

X1


State compression1

Class

Fields

Class

Monitors

Thread

Data

Stack

Frames

Object

Fields

Object

Monitors

State Compression

State

Pools

Array

Compression is very effective: up to 94%!


Partial order reduction

X=11

Y=27

X=12

Y=28

Partial Order Reduction

  • Do not explore “equivalent” traces

  • Requires analysis before model checking

Access to local variable is perfect candidate for partial order reduction.

Java does not provide enough information.

Assume that every access to a shared object is made in mutual exclusion.

Massive use of partial order reduction.

Use lockset algorithm to check that mutual exclusion is actually present.

Y++

X++

X=11

Y=28

X=12

Y=27

X++

Y++


Heuristic search

Heuristic Search

  • Depth first search leads to very long counter examples

  • Reactive system often exhibit periodic behavior

  • It is possible to discover errors at a shorter depth

  • Heuristic Search

    • Breadth first like state generation

    • Priority queue for the states based on some heuristic

  • The challenge

    • Find good heuristics:

      • Based on the property being checked

      • Based on the program structure

      • JPF offers an API for user-defined heuristics


An example

DEOS

Real time OS from Honeywell

1500 lines of code

Subtle concurrency error

Testing did not reveal it

We (re)discovered the bug!

Dependency analysis

Type abstraction

Choice-free heuristic

An example


Conclusion

Conclusion

  • Model check programs poses some specific issues

    • Some we can deal with

    • Some we looked for a way around

  • Model checking can be used for systematic testing

    • Can be automated

    • Can handle concurrent systems

  • This is still work in progress!


Future directions

Future directions

  • Apply the same techniques to C/C++

    • Next summer internship proposal

  • Combine property and heuristic specification

    • Allow the model checker to direct the search

  • Combine coverage, model checking and runtime analysis

    • Develop metrics

    • Check the system under certain assumptions


  • Login