Bandera: Extracting Finite-state Models from Java Code

Bandera: Extracting Finite-state Bandera: Extracting Finite-state Models from Java CodeModels from Java Code

James Corbett

Matthew Dwyer

John Hatcliff

Shawn Laubach

Corina Pasareanu

Robby

Hongjun Zheng

Faculty Students and Post-docs

Roby Joehanes

Ritesh Desai

Venkatesh Ranganath

Oksana Tkachuk

Goal: Goal: Increase Software ReliabilityIncrease Software Reliability

Trends:

Size, complexity, concurrency, distributed

Cost of software engineer……………………….

Cost of CPU cycle………………………………..

Future: Automated Fault Detection

The DreamThe Dream

Program

Requirement

Checker

OK

Error trace

or

void add(Object o) { buffer[head] = o; head = (head+1)%size;}

Object take() { … tail=(tail+1)%size; return buffer[tail];}

Property 1: …Property 2: ……

Model CheckingModel Checking

OK

Error trace

orFinite-state model

Temporal logic formula

Model Checker

Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…

Spin ExampleSpin Example

proctype A(chan in, out){ byte mt; /* message data */ bit vr; L1: mt = (mt+1%MAX); out!mt,1; goto L2; L2: in?vr; if :: (vr == 1) goto L1 :: (vr == 0) goto L3 :: printf(“Error”); goto L5 fi; L3: out!mt,1; goto L2; L4: in?vr; if :: goto L1; :: printf(“Error”); goto L5 fi; L5: out!mt,0; goto L4}

L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0

Fragment of Alternating Bit Protocol

Explicit State Model-checking Explicit State Model-checking

L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0


[L1, (mt1, vr1), ….]

Pending Seen Before

Implementation

Explored State-Space (computation tree)

Conceptual View


L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0


[L2, (mt2, vr2), ….]


Pending Seen Before

Implementation

Conceptual View

[L1, (mt1, vr1), ….]

[L1, (mt1, vr1), ….]


L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0


[L3, (mt3, vr3), ….]


Pending Seen Before

Implementation

Conceptual View

[L1, (mt1, vr1), ….]

[L1, (mt1, vr1), ….]

[L2, (mt2, vr2), ….]

[L2, (mt2, vr2), ….][L5, (mt5, vr5), ….]

[L1, (mt1’, vr1’), ..]


[L3, (mt3, vr3), ….]


Pending Seen Before

Implementation

Conceptual View

[L1, (mt1, vr1), ….]

[L1, (mt1, vr1), ….]

[L2, (mt2, vr2), ….]

[L2, (mt2, vr2), ….][L5, (mt5, vr5), ….]

[L3, (mt3, vr3), ….]

L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0

Fragment of Alternating Bit Protocol[L1, (mt1’, vr1’), ..]


[L3, (mt3, vr3), ….]


Pending Seen Before

Implementation

Conceptual View

[L1, (mt1, vr1), ….]

[L1, (mt1, vr1), ….]

[L2, (mt2, vr2), ….]

[L2, (mt2, vr2), ….][L3, (mt3, vr3), ….]

[L5, (mt5, vr5), ….]

[L5, (mt5, vr5), ….]

L1 L4

L2

L3

L5

?b1

?err

?b0

?b1 !a1

?a1?b0

?err

!a0


[L1, (mt1’, vr1’), ..]

Why Try to Use Why Try to Use Model Checking for Software?Model Checking for Software?

In contrast to testing, gives complete coverage by exhaustively exploring all paths in system,

It’s been used for years with good success in hardware and protocol design

Automatically check, e.g., – invariants, simple safety & liveness properties – absence of dead-lock and live-lock, – complex event sequencing properties,

“Between the window open and the window close, button X can be pushed at most twice.”

This suggests that model-checking can complement existing software quality assurance techniques.

What makes model-checking What makes model-checking software difficult?software difficult?

Model construction

OK

Error trace



Model Checker

State explosion

Problems using existing checkers:

Property specification Output interpretation

Line 5: …Line 12: …Line 15:…Line 21:…

Model Construction ProblemModel Construction Problem

Semantic gap:

Model Description

Model CheckerProgram



Gap

Programming Languages

Model Description Languages

methods, inheritance, dynamic creation, exceptions, etc.

automata


Model construction

OK

Error trace



Model Checker

State explosion




Property Specification ProblemProperty Specification Problem

Difficult to formalize a requirement in temporal logic

“Between the window open and the window close, button X can be pushed at most twice.”

[]((open /\ <>close) -> ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ (!pushX U close))))))))))

…is rendered in LTL as...

Property Specification ProblemProperty Specification Problem

We want to write source level specifications...

(((_collect(heap_b) == 1)\ && (BoundedBuffer_col.instance[_index(heap _b)].head == BoundedBuffer_col.instance[_index(heap _b)].tail) )\|| ((_collect(heap _b) == 3)\ && (BoundedBuffer_col_0.instance[_index(heap _b)].head == BoundedBuffer_col_0.instance[_index(heap _b)].tail) )\|| ((_collect(heap _b) == 0) && TRAP))

Heap.b.head == Heap.b.tail

We are forced to write model level specifications...

Forced to state property in terms of model rather than source:


Model construction

OK

Error trace



Model Checker

State explosion




State Explosion ProblemState Explosion Problem

Moore’s law and algorithm advances can help– Holzmann: 7 days (1980) ==> 7 seconds (2000)

Explosive state growth in software limits scalability

Bit x1,…,xN 2^N states

Cost is exponential in the number of components


Model construction

OK

Error trace



Model Checker

State explosion




Output Interpretation ProblemOutput Interpretation Problem

Raw error trace may be 1000’s of steps long

Model DescriptionProgram



Gap

Error trace

Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…

Must map line listing onto model description Mapping to source is made difficult by

– Semantic gap & clever encodings of complex features– multiple optimizations and transformations

Bandera:Bandera:An open tool set for model-checking Java source codeAn open tool set for model-checking Java source code

Checker Inputs

CheckerOutputs

Optimization Control

Transformation &Abstraction Tools

ModelCheckers

Java Source



Bandera Temporal Specification

Graphical User Interface

Error Trace Mapping

Bandera

Addressing theAddressing the Model Construction ProblemModel Construction Problem

Numerous analyses, optimizations,two intermediate languages, multiple back-ends

Slicing, abstract interpretation, specialization Variety of usage modes: simple...highly tuned

Model extraction: compiling to model checker inputs:

Java Source



Model DescriptionModel Compiler

Static Analyses

Abstract Interpretation

Slicing Optimizations

Addressing theAddressing the Property Specification ProblemProperty Specification Problem

An extensible language based on field-tested temporal property specification patterns

[]((open /\ <>close) -> ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ (!pushX U close))))))))))

Using the pattern system: 2-bounded existence

Between {open} and {close} {pushX} exists atMost {2} times;

Addressing theAddressing the State Explosion ProblemState Explosion Problem

Aggressive customization via slicing, abstract interpretation, program specialization

Java Source


…

Model DescriptionsModel Compiler

Property

Generate models customized wrt property!

Result: multiple models --- even as many as one per property

Addressing theAddressing the Output Interpretation ProblemOutput Interpretation Problem

Run error traces forwards and backwards Program state queried Heap structures navigated Locks, wait sets, blocked sets displayed

Like a debugger: error traces mapped back to source

Java Source



Model Compiler

ModelChecker

Intermediate Representations

Error traceLine 5: …Line 12: …Line 15:…Line 21:…

ModelDescription

+ simulator

Bandera ArchitectureBandera Architecture

BIRC BIR

Simulator

AbstractionEngine

Slicer

Analyses

Translators

SPIN

dSPIN

SMV

JPF

Property Tool

JavaJimple

Parser

Error Trace Display

Front EndFront End

Translates Java source to Jimple IRSupports specification of propertyProvides debugger-like step facilities

for error traces

if (x > 0) x = y * 2;

Label1: if (x <= 0) goto Label2; t0 = y * 2; x = t0;Label2: …

Java Jimple

Property SpecificationProperty Specification

/** * observable * EXP Full: (head == tail); */

class BoundedBuffer { Object [] buffer; int head, tail, bound;

public synchronized void add(Object o) {…}

public synchronized Object take () {…}}

Requirement:

If a buffer becomes full,it will eventually becomenon-full.

Bandera Specification:

FullToNonFull: forall[b:BoundedBuffer]. {Full(b)} leads to {!Full(b)} globally;

Property-directed SlicingProperty-directed Slicing

slicing criterion generated automatically from observables mentioned in the property

backwards slicing automatically finds all components that might influence the observables.

Source program Resulting slice

Slice

mentionedin property

indirectlyrelevant

Property-directed SlicingProperty-directed Slicing/** * @observable EXP Full: (head == tail) */

class BoundedBuffer { Object [] buffer_; int bound; int head, tail; public synchronized void add(Object o) { while ( tail == head ) try { wait(); } catch ( InterruptedException ex) {}

buffer_[head] = o; head = (head+1) % bound; notifyAll(); }...}

Included inslicingcritirion

Slicing Criterion

All statementsthat assign tohead, tail.

indirectlyrelevant

removed byslicing

AbstractionAbstractionSpecializerSpecializer

int x = 0;if (x == 0) x = x + 1;

Data domains

(n<0) : neg(n==0): zero(n>0) : pos

Signs

neg poszero

int

Code

Signs x = zero;if (x == zero) x = pos;

Collapses data domains via abstract interpretation:

Abstraction Component Abstraction Component FunctionalityFunctionality

VariableConcrete Type

Abstract Type

Inferred Type

AbstractionLibrary

BanderaAbstractionSpecificationLanguage

BASLCompiler

PVS

JimpleJimple AbstractionEngine

AbstractedJimple

xydonecount

ob

intintbool

ObjectBuffer

int….

SignsSignsSigns

intAbsBool

….PointBuffer

Abstraction SpecificationAbstraction Specificationabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };

abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end

operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end

public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abstract(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; }

public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ }

Compiled

Specification Creation ToolsSpecification Creation Toolsabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };

abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end

operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; end

AutomaticGeneration

Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2)

Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2)

Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2)

Proof obligations submitted to PVS...

Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}

Back EndBack End

Bandera Intermediate Representation (BIR)– guarded command language– includes: locks, threads, references, heap– info to help translators (live vars, invisible)

entermonitor r0r1.count = 0;…

loc s5: live { r0, r1 } when lockAvail(r0.lock) do { lock(r0.lock); } goto s6;loc s6: live { r1 } when true do invisible { r1.count = 0;} goto s7;

JimpleBIR

Bounded Buffer BIRBounded Buffer BIRprocess BoundedB() BoundedBuffer_ref = ref { BoundedBuffer_col, BoundedBuffer_col_0 }; BoundedBuffer_rec = record { bound_ : range -1..4; head_ : range -1..4; tail_ : range -1..4; BIRLock : lock wait reentrant; }; BoundedBuffer_col : collection [3] of BoundedBuffer_rec; BoundedBuffer_col_0 : collection [3] of BoundedBuffer_rec;…….……….loc s34: live { b2, b1, add_JJJCTEMP_0, add_JJJCTEMP_6, add_JJJCTEMP_8 } when true do invisible { add_JJJCTEMP_8 := (add_JJJCTEMP_6 % add_JJJCTEMP_8); } goto s35;loc s35: live { b2, b1, add_JJJCTEMP_0, add_JJJCTEMP_8 } when true do { add_JJJCTEMP_0.head_ := add_JJJCTEMP_8; } goto s36;loc s36: live { b2, b1, add_JJJCTEMP_0 } when true do { notifyAll(add_JJJCTEMP_0.BIRLock); } goto s37;loc s37: live { b2, b1, add_JJJCTEMP_0 } when true do { unlock(add_JJJCTEMP_0.BIRLock); } goto s38;

Bounded Buffer PromelaBounded Buffer Promelatypedef BoundedBuffer_rec { type_8 bound_; type_8 head_; type_8 tail_; type_18 BIRLock; }

……loc_25: atomic { printf("BIR: 25 0 1 OK\n"); if :: (_collect(add_JJJCTEMP_0) == 1) -> add_JJJCTEMP_8 = BoundedBuffer_col. instance[_index(add_JJJCTEMP_0)].tail_; :: (_collect(add_JJJCTEMP_0) == 2) -> add_JJJCTEMP_8 = BoundedBuffer_col_0. instance[_index(add_JJJCTEMP_0)].tail_; :: else -> printf("BIR: 25 0 1 NullPointerException\n"); assert(0); fi; goto loc_26; }

TranslatorsTranslators

Plug-in component that interfaces to specific model checker– Translates BIR to checker input language– Parses output of checker for error trace

Currently– SPIN, dSPIN, SMV translators complete– JPF (from NASA Ames) integrated– XMC, FDR translators in progress

Case StudiesCase Studies Small examples thus far (< 2000 loc)

– illustrating use of property-pattern system and other components

Scheduler from DEOS real-time OS kernel– (1600, 22 classes, seven tasks)

Now trying systems up to 20,000 loc– collection of 15 open-source 100% pure Java – Jigsaw web-server from W3C– Tomcat, James (from Apache/Jakarta)

In general, 1-2 minutes for model extraction on (~2000k systems)

State space reductions can dramatically reduce cost

SummarySummary

Bandera provides an open platform for experimentation Separates model checking from extraction

– uses existing model checkers

– supports multiple model checkers Specialize models for specific properties using

automated support for slicing, abstraction, etc. Designed for extensibility

– well-defined internal representations and interfaces We hope this will contribute to the definition of APIs for

software model-checkers

Context of ProjectContext of Project

Researchers with different backgrounds (programming languages, static analysis, verification of concurrent systems, software engineering)

Started on Bandera in November 1998 (previously built verification tools for Ada)

Funding from NASA, National Science Foundation, Honeywell, US Air Force

Current StatusCurrent Status

A reasonable subset of concurrent Java– not handled: recursive methods, exceptions, inner

classes, native methods, libraries(*) You can play around with a “pre-alpha” version of the

tools accompanied by a draft tutorial Public release: October 2000

http://www.cis.ksu.edu/santos/bandera

Schedule of BRICS Mini-CourseSchedule of BRICS Mini-Course

Monday -- Overview– overview talk

– basic demo

Tuesday -- Specifying Temporal Properties of Software– overview of temporal specification

• review of CTL, LTL• temporal specification design patterns

– example driven presentation of Bandera’s specification tools

Wednesday -- Details of Bandera Components– slicing concurrent Java programs

– Bandera abstraction tools

– model generation via Bandera’s back-end

– summary of case studies (e.g., space-craft controller examples)

Documents

Bandera: Extracting Finite-state Models from Java Code