Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell

SupportUS Army Research Office (ARO)US National Science Foundation (NSF)US Department of Defense Advanced Research Projects Agency (DARPA)

BoeingHoneywell Technology CenterIBMIntel

SAnToS Laboratory, Kansas State University, USA

http://bogor.projects.cis.ksu.edu

Matthew B. DwyerJohn Hatcliff

Robby

Model-Checking JML Specifications with Bogor

Edwin Rodríguez http://spex.projects.cis.ksu.eduhttp://jmleclipse.projects.cis.ksu.eduhttp://bandera.projects.cis.ksu.edu

Lockheed Martin NASA LangleyRockwell-Collins ATCSun Microsystems

CASSIS 2004, Marseille, France

Java Source

void add(Object o) { buffer[head] = o; head = (head+1)%size;}

Object take() { … tail=(tail+1)%size; return buffer[tail];}

CheckerInput

CheckerOutput

Optimization Control

Transformation &Abstraction Tools

Bogor

Specification

Eclipse Platform

Error Trace Mapping

Bandera

Slicing

AbstractInterpretation

Static Analysis

?

Bandera:An Open Toolset for Model Checking Concurrent Java Programs

SpEx Project — Goals

specification languages should have a rich set of primitives for observing

program state heap-allocated objects, concurrency, etc.

make it easy to write useful specifications support lightweight and deep-semantic specifications

be checkable using a variety of analysis techniques

model checking, testing, etc.

We are investigating several languages JML (current focus), OCL, AAL, etc.

JML Reasoning Tools and Technologies

Tool(technology

)

Automaton Usability

JML Coverage

Behavior Coverage

Scalability

LOOP fair (straight line code),

poor (otherwise)

very high complete (for sequential)

poor

ESC/Java good (annotations

usually needed)

low high (for sequential), moderate

(otherwise)

excellent (modular

treatment of methods)

ESC/Java2 good (annotations

usually needed)

moderate high (for sequential), moderate

(otherwise)

excellent (modular

treatment of methods)

JMLC excellent moderate low (determined

by test harness)

excellent

Bogor excellent very high moderate (determined

by test harness)

good (for unit-level

reasoning)other tools such as JACK,…

JML Reasoning Tools and Technologies

Model Checking/TestingTheorem Proving

… m(…) { assume pre-conditions … … … … … … prove post-conditions}

… m(…) {

}

Environment

manipulate formulasmanipulate formulas

checking that specifications are satisfied for particular traces generated by theenvironment (test harness)

checking that specifications are satisfied for particular traces generated by theenvironment (test harness)

Bogor

What is it? Why is it useful? What about its

existing algorithms suggests that it might be good for checking JML?

Questions…

Bogor (Buitenzorg)

Bogor – Software Model Checking Framework

Bogor – Direct support for OO software

unbounded dynamic creation of threads and objects

automatic memory management (garbage collection)

virtual methods, … …, exceptions, etc. supports virtually all of Java

thread & heap symmetry compact state

representation partial order reduction

techniques driven by object escape analysis locking disciplines

Extensive support for checking concurrent OO software

Direct support for… Software targeted algorithms…

Tool DevelopmentFramework

Bogor – Eclipse-based Tool Components

Architecture allows encapsulation/integration with other verification tools using IBM’s Eclipse Integrated Development Environment

CadenaCORBA Component Model verification

Next generation of

Bandera Java Model-checking Tool Set

SpExJML Verification, etc.

Domain-Specific Model-Checking —Bogor Customized To Cadena

Bogor -- Extensible Modeling Language

Core Modeling Language

Threads,Objects,Methods,Exceptions, etc.

+Extensions

Sets

Queues

Tables

RT CORBAEvent Service

API Abstraction

Domain-specific Abstractions

+

Real-timeScheduling

Quasi-cyclicSearch

Partial StateRepresentation

Bogor -- Customizable Checking Engine ModulesSchedulingStrategy

State-spaceExploration

State-spaceRepresentation

Core Checker Modules Customized Checker Modules

…existing modules…

Bogor Customized To Bandera

Bogor – Feature-rich Modeling Language

Core Modeling Language

Threads,Objects,Methods,Exceptions, etc.

Partial OrderReduction

Depth-first Search

Symm. Reduc.

&Compression

Bogor -- Customizable Checking Engine ModulesSchedulingStrategy

State-spaceExploration

StateRepresentation

Core Checker Modules Customized Checker Modules

…existing modules…

Bogor’s Heap Representation

Key Points…

…explicit heap representationStateState

…transition may create new objects, garbage, etc.

HeapHeap

…garbage is eliminated

…precise heap model

…after each transition, a topological sort gives heap objects a canonical order

Canonical heapCanonical heap…sort walks over heap, canonicalizes, and collects info

…sort walks over heap, canonicalizes, and collects info

…precise alias information…have access to all visited states (but, efficiently stored using collapse compression)

Bogor’s Heap Representation — Enables JML Specs Check

Key Points…

… many JML features are easy to support in Bogor

StateState

…transition may create new objects, garbage, etc.

HeapHeap

…can easily compare objects in methods pre/post-states (c.f., \old)

…precise alias information (c.f., \modifies)

Canonical heapCanonical heap…sort walks over heap, canonicalizes, and collects info

…sort walks over heap, canonicalizes, and collects info

…precise heap model (c.f., \reach)

JML Language Coverage

large language coverage…

Doug Lea’s LinkedQueue Examplepublic class LinkedNode { public Object value; public LinkedNode next;

public LinkedNode(Object x) { value = x; }}

public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0;

public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }

public boolean isEmpty() { synchronized (head) { return head.next == null; } }

public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }

protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }}

protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; }}

public Object take() { Object x = extract(); if (x != null) return x; else …}

allows a high degree of concurrencyallows a high degree of concurrency

Doug Lea’s LinkedQueue Example

LQ LN

head

lastputLock

A state with two threads and a LinkedQueue objectA state with two threads and a LinkedQueue object


LQ LN

head

lastputLock

The red thread creates a new objectThe red thread creates a new object


LQ LN

head

lastputLock

put()

…and invokes put(), which invokes insert()…and invokes put(), which invokes insert()


LQ LN

head

lastputLock

put()

insert() acquires the lock on putLockinsert() acquires the lock on putLock


LQ LN

head

lastputLock

LN

p

valueput()

…and creates a new LinkedNode…and creates a new LinkedNode


LQ LN

head

lastputLock

LN

p

valueput()

…then it locks the LinkedNode pointed by last…then it locks the LinkedNode pointed by last


LQ LN

head

lastputLock

LN

p

nextvalue

put()

…and assigns new LinkedNode to last.next…and assigns new LinkedNode to last.next


LQ LN

head

last

putLock

LN

p

nextvalue

put()

last is moved to point to the new LinkedNodelast is moved to point to the new LinkedNode


LQ LN

head

last

putLock

LN

p

nextvalue

put()

the lock on head’s LinkedNode is releasedthe lock on head’s LinkedNode is released


LQ LN

head

last

putLock

LN

nextvalue

put()

returning from insert(), the local p is now out of scopereturning from insert(), the local p is now out of scope


LQ LN

head

last

putLock

LN

nextvalue

put()

and the lock on putLock’s object is releasedand the lock on putLock’s object is released


LQ LN

head

last

putLock

LN

nextvalue

The red thread finishes executing the put() methodThe red thread finishes executing the put() method


LQ LN

head

last

putLock

LN

nextvalue

and it removes the reference to the new object, done!and it removes the reference to the new object, done!


LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

another object is addedanother object is added


LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

take()

The blue thread invokes take(), which invokes extract()The blue thread invokes take(), which invokes extract()


LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

take()

the LinkedQueue is lockedthe LinkedQueue is locked


LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

take()

the head’s LinkedNode is also lockedthe head’s LinkedNode is also locked


LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

take()

first

head.next is assigned to the local firsthead.next is assigned to the local first


LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

take()

first

x

first.value is assigned to the local xfirst.value is assigned to the local x


LQ LN

head

last

putLock

LN

next

LN

valuenext

take()

first

x

first.value is assigned nullfirst.value is assigned null


LQ LN

head

last

putLock

LN

next

LN

valuenext

take()

first

x

head is moved to the next LinkedNodehead is moved to the next LinkedNode


LQ

head

last

putLock

LN LN

valuenext

take()

x

the LinkedNode is GC’ed (after its lock released)the LinkedNode is GC’ed (after its lock released)


LQ

putLock

x

LN

head

last

LN

nextvalue

the state after take() is finishedthe state after take() is finished

Assessments — LinkedQueue

put() and take() can be done concurrently

if the size of the LinkedQueue is greater than 0 they use different locks to protect object

accesses put() synchronizes on putLock and last take() synchronizes on the LinkedQueue object and head

are mutually exclusive if the size is 0 synchronize on the same LinkedNode

head == last reasoning about them becomes very

complex

JML & Concurrency Issues

Pre-/post-conditions check points in a concurrent setting

Functional and synchronization aspects difficulty when specifying methods

Model checking post-conditions with \old()

LinkedQueue Example (JML)

public class LinkedNode { public Object value; public LinkedNode next;

/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}

public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;

//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);

/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }

/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }

/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }

/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }

protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } }

/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/ protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }

/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/ protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } } }














//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last); …













/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null);}













/*@ behavior @ ensures \result <==> head.next == null; @*/public boolean isEmpty() { synchronized (head) { return head.next == null; }}

Pre/Post-Conditions

jmlc generates a wrapper method for each annotated method

jmlc generates a wrapper method for each annotated method

Figure 4.3, “A Runtime Assertion Checker for the Java Modeling Language”, Y. Cheon

Pre/Post-Conditions

check invariants and method preconditions

check invariants and method preconditions


Pre/Post-Conditions

call original methodcall original method


Pre/Post-Conditions

check post-conditionscheck post-conditions


Pre/Post-Conditions/*@ behavior @ ensures \result <==> head.next == null; @*/public boolean isEmpty() { synchronized (head) { return head.next == null; }}

public boolean isEmpty() {

…

boolean rac$result;

…

rac$result = orig$isEmpty();

checkPost$isEmpty$LinkedQueue(rac$result);

return rac$result;

…

}

At this point a thread can interleave and insert an object in the LinkedQueue;so there actually exists an execution race where the post-condition is violated.

At this point a thread can interleave and insert an object in the LinkedQueue;so there actually exists an execution race where the post-condition is violated.



…

boolean rac$result;

…



return rac$result;

…

}

In general, a thread can interfere before or during the post-conditions check.

In general, a thread can interfere before or during the post-conditions check.



…

boolean rac$result;

…



return rac$result;

…

}

Thus, we need to prevent the interleaving by aggregating the return transition with the post-condition transitions.

Thus, we need to prevent the interleaving by aggregating the return transition with the post-condition transitions.

Assessments — Pre/Post-conditions

granularity of execution/checking steps must be controlled easy to do in a model checker

using similar construct such as Promela’s atomic

needs to modify JVM for testing the scheduler must prevent context-

switching when evaluating code from specifications
















Functional andSynchronization Aspects

public Object take() { Object x = extract(); if (x != null) return x; else … // wait}

/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }}

does not work, why?does not work, why?


LQ LN

head

lastputLock

A state with two threads and a LinkedQueue objectA state with two threads and a LinkedQueue object


LQ LN

head

lastputLock

The blue thread invokes take(), which invokes extract().Note that the pre-state for take() is an empty LinkedQueue.The blue thread invokes take(), which invokes extract().Note that the pre-state for take() is an empty LinkedQueue.

take()


LQ LN

head

lastputLock

The red thread interleaves and put() an objectThe red thread interleaves and put() an object

take()

put()


LQ LN

head

putLock

The red thread interleaves and put() an objectThe red thread interleaves and put() an object

take() LN

head

last

LN

nextvalue


LQ

putLock

x

head

The blue thread successfully take() the objectThe blue thread successfully take() the object

LN

last

take()


LQ

putLock

x

head

but the post-condition is violated since the pre-state is an empty LinkedQueue!but the post-condition is violated since the pre-state is an empty LinkedQueue!

LN

last

take()

public Object take() { Object x = extract(); if (x != null) return x; else … // wait}

/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }}

functional propertyfunctional property

Functional and Synchronization Aspects








/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x);}

protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); }}

/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x;}

/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; }}

protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); }}

/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x;}

Assessments — Functional and Synchronization Aspects

when specifying properties of concurrent programs separate functional properties from

synchronization aspects e.g., region of code after lock acquires

if not, we often end up with weaker properties a tool support for checking specifications is

valuable for “debugging” specifications model checking is good for catching subtle

issues in concurrent programs or their properties





Post-conditions with \old

… m(…) {

}

“good” pre-state“good” pre-state

passed post-conditionspassed post-conditions

“bad” pre-state“bad” pre-state

the state has beenseen before, thus,the model checkerbacktracks withoutchecking post-conditions

the state has beenseen before, thus,the model checkerbacktracks withoutchecking post-conditions

Backtracking can causeMC to miss some errorsBacktracking can causeMC to miss some errors

Post-conditions with \oldclass Race extends Thread { static int x;

public void run() { loc1 : x = 0; loc2 : foo(); }

/*@ ensures @ \old(x) == 0; @*/ void foo() { loc3 : x = 1; loc4 : return; }}

Backtracking can causeMC to miss some errorsBacktracking can causeMC to miss some errors

Post-conditions with \old/*@ behavior @ ensures … \old(e) …; @*/public void foo() { …}

public void foo() { old$rac = e; …}

Works for primitive types, but not for objects

Works for primitive types, but not for objects


public void foo() { int tmp = Bogor.collapseState(e); …}

If e is a reference type, then record all reachable objects from e

If e is a reference type, then record all reachable objects from e


public void foo() { int tmp = Bogor.collapseState(e); …}

Returns a unique integerrepresenting the canonicalreachable heap

Returns a unique integerrepresenting the canonicalreachable heap

/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x;}

Post-conditions with \old

LQ LN

head

last

putLock

LN

valuenext

LN

valuenext

take()

uses set symmetry andcollapse compression for efficiency

uses set symmetry andcollapse compression for efficiency

more optimizations are possiblemore optimizations are possible

Assessments —Post-conditions with \old

Backtracking can cause a model checker to miss some errors when checking post-conditions with \old

Needs to distinguish pre-states to avoid backtracking too early uses heap symmetry to reduce the number of

distinguishable (observationally inequivalent) pre-states

uses collapse compression to reduce memory consumptions for encoding the pre-states

can be optimized further by using a static analysis to detect relevant heap objects (analogous to slicing)

Preliminary Results

w/ JML w/o JML

Test PlatformJDK 1.4.1 (32-bit mode) on a 2 GHz Opteron with maximumheap of 1 GB running Linux (64-bit mode)

Bogor’s Reduction Algorithms — Enables Checking JML Specs

Indicates little overhead compared with simply exploring the state-space

Indicates little overhead compared with simply exploring the state-space

w/ JML w/o JMLw/ JML w/o JMLw/ POR w/o POR

JMLEclipse

JML annotatedJava source

/*@ behavior @ requires x != null; @ ensures true; @also @ behavior @ requires x == null; @ signals (Exception e) e instanceof @ IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }

JML well-formednesschecker

jmlc

othertool

JMLEclipse

JML syntax highlightingJML syntax highlighting

JML well-formedness checkingJML well-formedness checking

Conclusion There have been many tools for checking JML

specifications Bogor flexible model checking framework can be used to

check “strong” specifications Complete control over the model checker representations and

algorithms hard to do it with Spin, but it can be done in JPF

Highly-automated for unit-sized concurrent Java programs requires effective reductions to help curb specification

checking overhead complements other JML checking methods

checking a different class of properties Issues in JML support for concurrency



Checking \old() using model checking

Future Work

propose specifications for concurrencyin JML (w/ Cormac Flanagan) thread-locality method-locality lock-protected pre-/post-conditions on code regions atomicity, etc.

JMLEclipse as an open ended JML plugin for Eclipse

other specification formalisms

Bogor Tutorial at ETAPS 2004

Barcelona, Spain April 3, half-day, afternoon Topics

Adapting Bogor to a particular domain Extending the Bogor modeling language

add new abstract data types add new abstract operations

Extending the Bogor model checking algorithms

For More Information…

http://jmleclipse.projects.cis.ksu.edu

http://bogor.projects.cis.ksu.edu

SAnToS Laboratory, Kansas State Universityhttp://www.cis.ksu.edu/santos

Bogor Project

JMLEclipse Project

http://bandera.projects.cis.ksu.eduBandera Project

http://spex.projects.cis.ksu.eduSpEx Project

Documents

Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell