Software Analysis: A Roadmap

1. 1 Software Analysis: A Roadmap CSCI 589 presentation Joshua Garcia & Eric Johnson 10/16/07

2. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 2 Overview Driving force What is analysis? Verification vs. Refutation Model Driven Code Analysis Comparing Java and C++ Simulation vs. Checking Static vs. Dynamic Modeling Solutions Analysis Tools Parallel vs. Sequential Ten Years From Now Strengths and Weakness of Paper How this relates to Embedded Software Resources

3. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 3 Driving Force Growth in size and complexity of software systems A desire to create composable code A need to be able to quickly and more effectively find errors in code Movement from sequential to parallel programming constructs (local vs. distributed) $$$ Better Faster Cheaper- we want it all

4. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 4 What is Analysis? Analysis- �the extraction of behavior information from the software, represented as an abstract model or code� Analyze using models More succinct Separate concerns and articulate key properties Can find errors earlier Code is poor by model Analyze complexity Code Coverage

5. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 5 Verification vs. Refutation Verification �attempt to find a proof for a given property� is the method of choice Very critical in embedded choices Refutation �attempt to find a proof for the given property� is the method of choice Very critical in embedded choices Proof by contradiction

6. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 6 Model Driven Code Analysis Weakened by modularity Increasing role in both static and dynamic analysis Giving the engineers more control over system Modeling is more effective when it is attached to code

7. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 7 Comparing Java and C++ Analyzability Multithreading Efficiency Portability Predictability Garbage collection is a problem JEPES Both satisfy steelman requirements about the same. [Wheeler, David A. Ada, C, C++, and Java vs. The Steelman. 1997] For multithreading - java built-in c++ not built-in, but supported For efficiency: in terms of speed of execution in general c++ is better java can be compiled to native code and restricted java based languages like jepes can help, but doesn�t get rid of the jvm unless you compile to native code Portability: general characteristic of being readily transportable from one location to another Java with JVM is portable C++ requires querying mechanisms Predictability: do you know how long it will take for some application or procedure to execute? JEPES removes garbage collection, fixed number of instructions for static object allocation, etc.For multithreading - java built-in c++ not built-in, but supported For efficiency: in terms of speed of execution in general c++ is better java can be compiled to native code and restricted java based languages like jepes can help, but doesn�t get rid of the jvm unless you compile to native code Portability: general characteristic of being readily transportable from one location to another Java with JVM is portable C++ requires querying mechanisms Predictability: do you know how long it will take for some application or procedure to execute? JEPES removes garbage collection, fixed number of instructions for static object allocation, etc.

8. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 8 Simulation vs. Checking Simulation Advantages Reduces likelihood of egregious flaws Allows early experimentation and investigation of different structures Disadvantages Sacrifices correctness Checking Advantages Better at finding subtle errors Better for safety critical systems Establish correspondence between model and code Disadvantages Exposing subtle errors is rarely cost effective Robot simulation Simulation Simulation

9. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 9 Static vs. Dynamic Static analysis Advantages Provides information valid for all runs Disadvantages Information provided is usually just an approximation May cause many false positives when detecting errors Dynamic analysis Advantages Detailed and precise info for a single run Easier to obtain than static analysis Disadvantages Makes no guarantees about other runs Static analysis: type of analysis where information provided (usually in the form of properties) is valid for all possible runs Dynamic analysis: analyzes program by collecting information when run Prediction Dynamic analysis more powerful and sophisticated tools More Java-based tools because of high-level executable formats like Java bytecode Static analysis More important and viable in the long runStatic analysis: type of analysis where information provided (usually in the form of properties) is valid for all possible runs Dynamic analysis: analyzes program by collecting information when run Prediction Dynamic analysis more powerful and sophisticated tools More Java-based tools because of high-level executable formats like Java bytecode Static analysis More important and viable in the long run

10. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 10 Modeling Solutions UML Embedded UML Architecture Analysis & Design Language (AADL) Java Modeling Language (JML) Z notation Formal specification language Koala ADL for embedded systems JML The Java Modeling Language (JML) is a behavioral interface specification language that can be used to specify the behavior of Java modules. It combines the design by contract approach of Eiffel and the model-based specification approach of the Larch family of interface specification languages, with some elements of the refinement calculus. Preconditions, postconditions, invariants JML invariants are attached to Java Classes JML contracts are attached to Java methods UML In the field of software engineering, the Unified Modeling Language (UML) is a standardized specification language for object modeling. UML is a general-purpose modeling language that includes a graphical notation used to create an abstract model of a system, referred to as a UML model. Designed to be compatible with the different software engineering methods of its time (OMT, Booch, Objectory, etc.) 13 types of diagrams IBM Rational Rose Technical Developer, formerly Rational Rose RealTime, for Example Microsoft Visio Embedded UML Represents synthesis of various idea in the real-time UML community and concepts drawn from the HW-SW co-design field Use of the UML Profile for Schedulability, Performance and Time Reactive rather than active objects Active objects owns a thread and can initiate a control activity Reactive object: concurrent processes mapped to multiple hardware resources with asynchronous communication between them reacting to external stimuli Supports multiple means of communication A profile in the Unified Modeling Language provides a generic extension mechanism for building UML models in particular domains. Profiles are based on additional stereotypes and tagged values that are applied to elements, attributes, methods, links, and link ends. A profile is a collection of such extensions and restrictions that together describe some particular modeling problem and facilitate modeling constructs in that domain. UML profiles tailor the language to specific areas: business modeling and others. AADL From Wikipedia: The Architecture Analysis & Design Language (AADL) is an architecture description language standardized by SAE. AADL was first developed in the field of avionics, and was known formerly as the Avionics Architecture Description Language. It is derived from MetaH, an architecture description language made by the Advanced Technology Center of Honeywell. AADL is used to model the software and hardware architecture of an embedded, real-time system. Due to its emphasis on the embedded domain, AADL contains constructs for modeling both software and hardware components (with the hardware components named "execution platform" components within the standard). This architecture model can then be used either as a design documentation, for analyses (such as schedulability and flow control) or for code generation (of the software portion), a la UML. Z (Zed) notation Used in safety-critical projects (at least for requirements specification) The Z notation (universally pronounced zed, named after Zermelo-Fr�nkel set theory) is a formal specification language used for describing and modelling computing systems. It is targeted at the clear specification of computer programs and the formulation of proofs about the intended program behavior. Z was originally proposed by Jean-Raymond Abrial in 1977 with the help of Steve Schuman and Bertrand Meyer [1]. It was developed further at the Programming Research Group at Oxford University, where Abrial worked in the early eighties. Z is based on the standard mathematical notation used in axiomatic set theory, lambda calculus, and first-order predicate logic. All expressions in Z notation are typed, thereby avoiding some of the paradoxes of naive set theory. Z contains a standardized catalog (called the mathematical toolkit) of commonly used mathematical functions and predicates. Although Z notation uses many non-ASCII symbols, the specification includes suggestions for rendering the Z notation symbols in ASCII and in LaTeX. A valuable resource for newcomers interested in learning Z is The Z Notation: a reference manual. Z notation was used in the IBM CICS project. CICS (Customer Information Control System) is a transaction server that runs primarily on IBM mainframe systems under z/OS or z/VSE. CICS on distributed platforms is called TXSeries and it is available on AIX, Windows, Solaris and HP-UX. CICS is also available on other operating systems, notably i5/OS, OS/2. The z/OS implementation, ie, CICS Transaction Server for z/OS is by far the most popular and significant. It is known foremost as a pseudo-conversational computer application. CICS is used in bank teller applications, airline reservation systems, ATM systems etc. CICS first went on sale on July 8, 1969, not long after IMS. It was originally developed in the United States at IBM's Palo Alto lab. In 1974, CICS development shifted to IBM's programming labs in Hursley, United Kingdom, where work continues today. Koala Component model for embedded systems TV sets Developed by Phillips Primary goals Managing increasing complexity of SW Components and explicity architecture Manage diversity Parametization of components Support for product lines Component reuse Inspired by Darwin Compnents Defined in ADL Provided and requires interface Interfaces Defined in IDL Configurations Set of connected components Required to provided interface No explicit connectors Multiple required interfaces to one provided Koala components implemented in C Koala compiler Generates C header filesJML The Java Modeling Language (JML) is a behavioral interface specification language that can be used to specify the behavior of Java modules. It combines the design by contract approach of Eiffel and the model-based specification approach of the Larch family of interface specification languages, with some elements of the refinement calculus. Preconditions, postconditions, invariants JML invariants are attached to Java Classes JML contracts are attached to Java methods UML In the field of software engineering, the Unified Modeling Language (UML) is a standardized specification language for object modeling. UML is a general-purpose modeling language that includes a graphical notation used to create an abstract model of a system, referred to as a UML model. Designed to be compatible with the different software engineering methods of its time (OMT, Booch, Objectory, etc.) 13 types of diagrams IBM Rational Rose Technical Developer, formerly Rational Rose RealTime, for Example Microsoft Visio Embedded UML Represents synthesis of various idea in the real-time UML community and concepts drawn from the HW-SW co-design field Use of the UML Profile for Schedulability, Performance and Time Reactive rather than active objects Active objects owns a thread and can initiate a control activity Reactive object: concurrent processes mapped to multiple hardware resources with asynchronous communication between them reacting to external stimuli Supports multiple means of communication A profile in the Unified Modeling Language provides a generic extension mechanism for building UML models in particular domains. Profiles are based on additional stereotypes and tagged values that are applied to elements, attributes, methods, links, and link ends. A profile is a collection of such extensions and restrictions that together describe some particular modeling problem and facilitate modeling constructs in that domain. UML profiles tailor the language to specific areas: business modeling and others. AADL From Wikipedia: The Architecture Analysis & Design Language (AADL) is an architecture description language standardized by SAE. AADL was first developed in the field of avionics, and was known formerly as the Avionics Architecture Description Language. It is derived from MetaH, an architecture description language made by the Advanced Technology Center of Honeywell. AADL is used to model the software and hardware architecture of an embedded, real-time system. Due to its emphasis on the embedded domain, AADL contains constructs for modeling both software and hardware components (with the hardware components named "execution platform" components within the standard). This architecture model can then be used either as a design documentation, for analyses (such as schedulability and flow control) or for code generation (of the software portion), a la UML. Z (Zed) notation Used in safety-critical projects (at least for requirements specification) The Z notation (universally pronounced zed, named after Zermelo-Fr�nkel set theory) is a formal specification language used for describing and modelling computing systems. It is targeted at the clear specification of computer programs and the formulation of proofs about the intended program behavior. Z was originally proposed by Jean-Raymond Abrial in 1977 with the help of Steve Schuman and Bertrand Meyer [1]. It was developed further at the Programming Research Group at Oxford University, where Abrial worked in the early eighties. Z is based on the standard mathematical notation used in axiomatic set theory, lambda calculus, and first-order predicate logic. All expressions in Z notation are typed, thereby avoiding some of the paradoxes of naive set theory. Z contains a standardized catalog (called the mathematical toolkit) of commonly used mathematical functions and predicates. Although Z notation uses many non-ASCII symbols, the specification includes suggestions for rendering the Z notation symbols in ASCII and in LaTeX. A valuable resource for newcomers interested in learning Z is The Z Notation: a reference manual. Z notation was used in the IBM CICS project. CICS (Customer Information Control System) is a transaction server that runs primarily on IBM mainframe systems under z/OS or z/VSE. CICS on distributed platforms is called TXSeries and it is available on AIX, Windows, Solaris and HP-UX. CICS is also available on other operating systems, notably i5/OS, OS/2. The z/OS implementation, ie, CICS Transaction Server for z/OS is by far the most popular and significant. It is known foremost as a pseudo-conversational computer application. CICS is used in bank teller applications, airline reservation systems, ATM systems etc. CICS first went on sale on July 8, 1969, not long after IMS. It was originally developed in the United States at IBM's Palo Alto lab. In 1974, CICS development shifted to IBM's programming labs in Hursley, United Kingdom, where work continues today. Koala Component model for embedded systems TV sets Developed by Phillips Primary goals Managing increasing complexity of SW Components and explicity architecture Manage diversity Parametization of components Support for product lines Component reuse Inspired by Darwin Compnents Defined in ADL Provided and requires interface Interfaces Defined in IDL Configurations Set of connected components Required to provided interface No explicit connectors Multiple required interfaces to one provided Koala components implemented in C Koala compiler Generates C header files

11. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 11 Analysis Tools KeY Deductive verification of OO systems ESC/Java Static checking and theorem proving RealView Profiler New dynamic analysis tool for ARM architectures MATLAB/Simulink PVS theorem prover Protoype verification system Java PathFinder (JPF) Model checking, runtime analysis, static analysis KEY A tool for deductive verification of java based systems coupled with object-oriented software methods used with Safety critical real-time avionics navigation system (java flight management system) and smart card programs Combines object-oriented techniques with formal methods Designed for UML based softwarre development Used in avionics systems with JML Safety critical real-time avionics navigation system called the java flight management system ESC/Java Extended Static Checking for Java Uses Automatic theoreom proving Invisble formal methods becomes it hides the method and the algorithms from the user Give static warnings about many errors usually caught at run-time Synchronization errors in concurrent programs Record design decisions in an annotation language and see if the program violates these design decisions Middle-ground between finding errors and amount of effort required to use analysis tool Neither sound nor complete Its argument is that the competing technologies (manual code reviews and testing) are not complete either Probably small amount of bugs missed Reduces cost from not having to attempt soundness or completeness RealView Profiler By ARM - The ARM architecture (previously, the Advanced RISC Machine, and prior to that Acorn RISC Machine) is a 32-bit RISC processor architecture developed by ARM Limited that is widely used in a number of embedded designs. Because of their power saving features, ARM CPUs are dominant in the mobile electronics market, where low power consumption is a critical design goal. Dynamic analysis tool without instrumentation Needs ARM�s on-chip debugging interface Virtual platform to analysis software on hardware before its available Runs on the Eclipse IDE ARM designed microprocessor than licenses than as an IP core, so it doesn�t actually manufacture silicon ARM used in mobile telephones, automotive engine management, postscript laser printers, or GPS systems MATLAB Numerical analysis software Numerical analysis is the study of algorithms for the problems of continuous mathematics Perform simulations MATLAB is a numerical computing environment and programming language. Created by The MathWorks, MATLAB allows easy matrix manipulation, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs in other languages. Although it specializes in numerical computing, an optional toolbox interfaces with the Maple symbolic engine, allowing it to be part of a full computer algebra system. PVS theorem prover PVS is a verification system: that is, a specification language integrated with support tools and a theorem prover. It is intended to capture the state-of-the-art in mechanized formal methods and to be sufficiently rugged that it can be used for significant applications. PVS is a research prototype: it evolves and improves as we develop or apply new capabilities, and as the stress of real use exposes new requirements. Used in academic studies and projects, such as a Real-Time Distributed Shared Data space JPF Has been used with the Real Time Specification for Java (RTSJ) to create systems for jobs on a multiprogramming operatins system and complex resource contention involving autonomous vehicles crossing an intersection JPF has shown utility for logic and timing errorsKEY A tool for deductive verification of java based systems coupled with object-oriented software methods used with Safety critical real-time avionics navigation system (java flight management system) and smart card programs Combines object-oriented techniques with formal methods Designed for UML based softwarre development Used in avionics systems with JML Safety critical real-time avionics navigation system called the java flight management system ESC/Java Extended Static Checking for Java Uses Automatic theoreom proving Invisble formal methods becomes it hides the method and the algorithms from the user Give static warnings about many errors usually caught at run-time Synchronization errors in concurrent programs Record design decisions in an annotation language and see if the program violates these design decisions Middle-ground between finding errors and amount of effort required to use analysis tool Neither sound nor complete Its argument is that the competing technologies (manual code reviews and testing) are not complete either Probably small amount of bugs missed Reduces cost from not having to attempt soundness or completeness RealView Profiler By ARM - The ARM architecture (previously, the Advanced RISC Machine, and prior to that Acorn RISC Machine) is a 32-bit RISC processor architecture developed by ARM Limited that is widely used in a number of embedded designs. Because of their power saving features, ARM CPUs are dominant in the mobile electronics market, where low power consumption is a critical design goal. Dynamic analysis tool without instrumentation Needs ARM�s on-chip debugging interface Virtual platform to analysis software on hardware before its available Runs on the Eclipse IDE ARM designed microprocessor than licenses than as an IP core, so it doesn�t actually manufacture silicon ARM used in mobile telephones, automotive engine management, postscript laser printers, or GPS systems MATLAB Numerical analysis software Numerical analysis is the study of algorithms for the problems of continuous mathematics Perform simulations MATLAB is a numerical computing environment and programming language. Created by The MathWorks, MATLAB allows easy matrix manipulation, plotting of functions and data, implementation of algorithms, creation of user interfaces, and interfacing with programs in other languages. Although it specializes in numerical computing, an optional toolbox interfaces with the Maple symbolic engine, allowing it to be part of a full computer algebra system. PVS theorem prover PVS is a verification system: that is, a specification language integrated with support tools and a theorem prover. It is intended to capture the state-of-the-art in mechanized formal methods and to be sufficiently rugged that it can be used for significant applications. PVS is a research prototype: it evolves and improves as we develop or apply new capabilities, and as the stress of real use exposes new requirements. Used in academic studies and projects, such as a Real-Time Distributed Shared Data space JPF Has been used with the Real Time Specification for Java (RTSJ) to create systems for jobs on a multiprogramming operatins system and complex resource contention involving autonomous vehicles crossing an intersection JPF has shown utility for logic and timing errors

12. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 12 Analysis Tools (cont)

13. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 13 Parallel vs. Sequential Execution Big push to migrate to parallel execution of programs. Harness multicore multi processor system 64 execution More dynamic real world needs Single threaded applications Way of the past (legacy systems, Fortran) Multithreaded applications Harder to analyze but gives increased functionality

14. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 14 Multi Threaded Solutions Open Mp Application Program Interface (API) that may be used to explicitly direct multi-threaded, shared memory parallelism Pro Active Professional open source Middleware solution for parallel, distributed and multi-threaded computing.

15. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 15 10 Years From Now Java will indeed be prevalent but it will not over taking over industry Always need multiple languages to have design tradeoffs Creation of new languages to that is more capable of handling designer concerns and limiting cost Increased research in optimization Large risk of business getting in way

16. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 16 Strengths & Weaknesses of the Paper Strengths Very informative (gives a lot of information) Very insightful at time it was written (still applicable) More simulation than model checking Reliant upon software in almost every interaction of our lives Weaknesses Broads covers a lot of concepts Doesn�t directly apply to embedded systems Omits evolution of hardware systems Doesn�t make a clear distinction some dichotomies (distributed vs. localized) ignores localized

17. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 17 How It Relates to Embedded Software Software analysis will yield more robust software Cut costs Reduces risk Embedded software has its own environment own set of tools Different design tradeoffs Wave of future as computing becomes ubiquitous

18. 10/16/2007 CSCI 589 Presentation Garcia/Johnson 18 Resources Cok, David R. and Kiniry, Joseph R. ESC/Java2: Uniting ESC/Java and JML. 2004. Flanagan et al. Extended Static Checking for Java. 2002. Graaf et al. Embedded Software Engineering: The State of the Practice. 2003 Lindstrom et al. Model Checking Real Time Java Using PathFinder. 2005. Schmitt et al. A Case Study in Specification and Verification using UML in an Avionics Application. 2006. Schultz et al. Compiling Java for Low-End Embedded Systems. 2003. Vaandrager, Frits. Does it Pay Off? Model-Based Verification and Validation of Embedded Systems! 2006. Visser et al. Model Checking Programs. 2000.