bandera: extracting finite-state models from java source code james corbett matthew dwyer john...
TRANSCRIPT
![Page 1: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/1.jpg)
Bandera: Bandera: Extracting Finite-state Extracting Finite-state Models from Java Source CodeModels from Java Source Code
James Corbett
Matthew Dwyer
John Hatcliff
Shawn Laubach
Corina Pasareanu
Robby
Hongjun Zheng
Faculty Students and Post-docs
Roby Joehanes
Ritesh Desai
Venkatesh Ranganath
Oksana Tkachuk
![Page 2: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/2.jpg)
Goal: Goal: Increase Software ReliabilityIncrease Software Reliability
Trends:
Size, complexity, concurrency, distributed
Cost of software engineer……………………….
Cost of CPU cycle………………………………..
Future: Automated Fault Detection
![Page 3: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/3.jpg)
The DreamThe Dream
Program
Requirement
Checker
OK
Error trace
or
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Property 1: …Property 2: ……
![Page 4: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/4.jpg)
Model CheckingModel Checking
OK
Error trace
orFinite-state model
Temporal logic formula
Model Checker
Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…
![Page 5: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/5.jpg)
Why use Model Checking?Why use Model Checking?
In contrast to testing, gives complete coverage by exhaustively exploring all paths in system,
It’s been used for years with good success in hardware and protocol design
Automatically check, e.g., – invariants, simple safety & liveness properties – absence of dead-lock and live-lock, – complex event sequencing properties,
“Between the window open and the window close, button X can be pushed at most twice.”
This suggests that model-checking can complement existing software quality assurance techniques.
![Page 6: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/6.jpg)
What makes model-checking What makes model-checking software difficult?software difficult?
Model construction
OK
Error trace
orFinite-state model
Temporal logic formula
Model Checker
State explosion
Problems using existing checkers:
Property specification Output interpretation
Line 5: …Line 12: …Line 15:…Line 21:…
![Page 7: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/7.jpg)
Model Construction ProblemModel Construction Problem
Semantic gap:
Model Description
Model CheckerProgram
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Gap
Programming Languages
Model Description Languages
methods, inheritance, dynamic creation, exceptions, etc.
automata
![Page 8: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/8.jpg)
What makes model-checking What makes model-checking software difficult?software difficult?
Model construction
OK
Error trace
orFinite-state model
Temporal logic formula
Model Checker
State explosion
Problems using existing checkers:
Property specification Output interpretation
Line 5: …Line 12: …Line 15:…Line 21:…
![Page 9: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/9.jpg)
Property Specification ProblemProperty Specification Problem
Difficult to formalize a requirement in temporal logic
“Between the window open and the window close, button X can be pushed at most twice.”
[]((open /\ <>close) -> ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ (!pushX U close))))))))))
…is rendered in LTL as...
![Page 10: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/10.jpg)
Property Specification ProblemProperty Specification Problem
We want to write source level specifications...
(((_collect(heap_b) == 1)\ && (BoundedBuffer_col.instance[_index(heap _b)].head == BoundedBuffer_col.instance[_index(heap _b)].tail) )\|| ((_collect(heap _b) == 3)\ && (BoundedBuffer_col_0.instance[_index(heap _b)].head == BoundedBuffer_col_0.instance[_index(heap _b)].tail) )\|| ((_collect(heap _b) == 0) && TRAP))
Heap.b.head == Heap.b.tail
We are forced to write model level specifications...
Forced to state property in terms of model rather than source:
![Page 11: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/11.jpg)
What makes model-checking What makes model-checking software difficult?software difficult?
Model construction
OK
Error trace
orFinite-state model
Temporal logic formula
Model Checker
State explosion
Problems using existing checkers:
Property specification Output interpretation
Line 5: …Line 12: …Line 15:…Line 21:…
![Page 12: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/12.jpg)
State Explosion ProblemState Explosion Problem
Moore’s law and algorithm advances can help– Holzmann: 7 days (1980) ==> 7 seconds (2000)
Explosive state growth in software limits scalability
Bit x1,…,xN 2^N states
Cost is exponential in the number of components
![Page 13: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/13.jpg)
What makes model-checking What makes model-checking software difficult?software difficult?
Model construction
OK
Error trace
orFinite-state model
Temporal logic formula
Model Checker
State explosion
Problems using existing checkers:
Property specification Output interpretation
Line 5: …Line 12: …Line 15:…Line 21:…
![Page 14: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/14.jpg)
Output Interpretation ProblemOutput Interpretation Problem
Raw error trace may be 1000’s of steps long
Model DescriptionProgram
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Gap
Error trace
Line 5: …Line 12: …Line 15:…Line 21:…Line 25:…Line 27:… …Line 41:…Line 47:…
Must map line listing onto model description Mapping to source is made difficult by
– Semantic gap & clever encodings of complex features– multiple optimizations and transformations
![Page 15: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/15.jpg)
Bandera:Bandera:An open tool set for model-checking Java source codeAn open tool set for model-checking Java source code
Checker Inputs
CheckerOutputs
Optimization Control
Transformation &Abstraction Tools
ModelCheckers
Java Source
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Bandera Temporal Specification
Graphical User Interface
Error Trace Mapping
Bandera
![Page 16: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/16.jpg)
Addressing theAddressing the Model Construction ProblemModel Construction Problem
Numerous analyses, optimizations,two intermediate languages, multiple back-ends
Slicing, abstract interpretation, specialization Variety of usage modes: simple...highly tuned
Model extraction: compiling to model checker inputs:
Java Source
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Model DescriptionModel Compiler
Static Analyses
Abstract Interpretation
Slicing Optimizations
![Page 17: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/17.jpg)
Addressing theAddressing the Property Specification ProblemProperty Specification Problem
An extensible language based on field-tested temporal property specification patterns
[]((open /\ <>close) -> ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ ((!pushX /\ !close) U (close \/ ((pushX /\ !close) U (close \/ (!pushX U close))))))))))
Using the pattern system: 2-bounded existence
Between {open} and {close} {pushX} exists atMost {2} times;
![Page 18: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/18.jpg)
Addressing theAddressing the State Explosion ProblemState Explosion Problem
Aggressive customization via slicing, abstract interpretation, program specialization
Java Source
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
…
Model DescriptionsModel Compiler
Property
Generate models customized wrt property!
Result: multiple models --- even as many as one per property
![Page 19: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/19.jpg)
Addressing theAddressing the Output Interpretation ProblemOutput Interpretation Problem
Run error traces forwards and backwards Program state queried Heap structures navigated Locks, wait sets, blocked sets displayed
Like a debugger: error traces mapped back to source
Java Source
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
Model Compiler
ModelChecker
Intermediate Representations
Error traceLine 5: …Line 12: …Line 15:…Line 21:…
ModelDescription
+ simulator
![Page 20: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/20.jpg)
Bandera ArchitectureBandera Architecture
BIRC BIR
Simulator
AbstractionEngine
Slicer
Analyses
Translators
SPIN
dSPIN
SMV
JPF
Property Tool
JavaJimple
Parser
Error Trace Display
![Page 21: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/21.jpg)
Property SpecificationProperty Specification
/** * observable * EXP Full: (head == tail); */
class BoundedBuffer { Object [] buffer; int head, tail, bound;
public synchronized void add(Object o) {…}
public synchronized Object take () {…}}
Requirement:
If a buffer becomes full,it will eventually becomenon-full.
Bandera Specification:
FullToNonFull: forall[b:BoundedBuffer]. {!Full(b)} responds to {Full(b)} globally;
![Page 22: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/22.jpg)
Property SpecificationProperty Specification
![Page 23: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/23.jpg)
Property SpecificationProperty Specification
![Page 24: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/24.jpg)
Property SpecificationProperty Specification
![Page 25: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/25.jpg)
Property-directed SlicingProperty-directed Slicing
slicing criterion generated automatically from observables mentioned in the property
backwards slicing automatically finds all components that might influence the observables.
Source program Resulting slice
Slice
mentionedin property
indirectlyrelevant
![Page 26: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/26.jpg)
Property-directed SlicingProperty-directed Slicing/** * @observable EXP Full: (head == tail) */
class BoundedBuffer { Object [] buffer_; int bound; int head, tail; public synchronized void add(Object o) { while ( tail == head ) try { wait(); } catch ( InterruptedException ex) {}
buffer_[head] = o; head = (head+1) % bound; notifyAll(); }...}
Included inslicingcritirion
Slicing Criterion
All statementsthat assign tohead, tail.
indirectlyrelevant
removed byslicing
![Page 27: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/27.jpg)
Property-directed SlicingProperty-directed Slicing
Thread 1 Thread 2Data Dependence
x := 3;
y = x + 1;
Control Dependencez<0
Interference Dependence
x := z;
z := 4;Synchronization Dependence
enter monitor(o)
enter monitor(o)
Ready Dependencenotify(o)
wait(o)
[SAS’99]Dependencies for concurrent Java
![Page 28: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/28.jpg)
Abstraction EngineAbstraction Engine
int x = 0;if (x == 0) x = x + 1;
Data domains
(n<0) : neg(n==0): zero(n>0) : pos
Signs
neg poszero
int
Code
Signs x = zero;if (x == zero) x = pos;
Collapses data domains via abstract interpretation:
![Page 29: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/29.jpg)
Abstraction Component Abstraction Component FunctionalityFunctionality
VariableConcrete Type
Abstract Type
Inferred Type
AbstractionLibrary
BanderaAbstractionSpecificationLanguage
BASLCompiler
PVS
JimpleJimple AbstractionEngine
AbstractedJimple
xydonecount
ob
intintbool
ObjectBuffer
int….
SignsSignsSigns
intAbsBool
….PointBuffer
![Page 30: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/30.jpg)
Abstraction SpecificationAbstraction Specificationabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };
abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end
operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; /* case (POS,NEG), (NEG,POS) */ end
public class Signs { public static final int NEG = 0; // mask 1 public static final int ZERO = 1; // mask 2 public static final int POS = 2; // mask 4 public static int abstract(int n) { if (n < 0) return NEG; if (n == 0) return ZERO; if (n > 0) return POS; }
public static int add(int arg1, int arg2) { if (arg1==NEG && arg2==NEG) return NEG; if (arg1==NEG && arg2==ZERO) return NEG; if (arg1==ZERO && arg2==NEG) return NEG; if (arg1==ZERO && arg2==ZERO) return ZERO; if (arg1==ZERO && arg2==POS) return POS; if (arg1==POS && arg2==ZERO) return POS; if (arg1==POS && arg2==POS) return POS; return Bandera.choose(7); /* case (POS,NEG), (NEG,POS) */ }
Compiled
![Page 31: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/31.jpg)
Specification Creation ToolsSpecification Creation Toolsabstraction Signs abstracts intbegin TOKENS = { NEG, ZERO, POS };
abstract(n) begin n < 0 -> {NEG}; n == 0 -> {ZERO}; n > 0 -> {POS}; end
operator + add begin (NEG , NEG) -> {NEG} ; (NEG , ZERO) -> {NEG} ; (ZERO, NEG) -> {NEG} ; (ZERO, ZERO) -> {ZERO} ; (ZERO, POS) -> {POS} ; (POS , ZERO) -> {POS} ; (POS , POS) -> {POS} ; (_,_)-> {NEG, ZERO, POS}; end
AutomaticGeneration
Forall n1,n2: neg?(n1) and neg?(n2) implies not pos?(n1+n2)
Forall n1,n2: neg?(n1) and neg?(n2) implies not zero?(n1+n2)
Forall n1,n2: neg?(n1) and neg?(n2) implies not neg?(n1+n2)
Proof obligations submitted to PVS...
Example: Start safe, then refine: +(NEG,NEG)={NEG,ZERO,POS}
![Page 32: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/32.jpg)
Abstraction LibraryAbstraction Library
Current Library Contains:
Range(i,j) : i..j modeled precisely, e.g.,
– Range(0,0) is the signs abstraction
– Range(2,4) has tokens {lt2,2,3,4,gt4}
Modulo(k), e.g.,
– Modulo(2) is the even-odd abstraction
Specific(v,…) : identifies values of interest, e.g.,
– Specific(10) has tokens {eq10,not10}
User extendable for base type predicates
![Page 33: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/33.jpg)
Back EndBack End
Bandera Intermediate Representation (BIR)– guarded command language– includes: locks, threads, references, heap– info to help translators (live vars, invisible)
entermonitor r0r1.count = 0;…
loc s5: live { r0, r1 } when lockAvail(r0.lock) do { lock(r0.lock); } goto s6;loc s6: live { r1 } when true do invisible { r1.count = 0;} goto s7;
JimpleBIR
![Page 34: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/34.jpg)
Bounded Buffer BIRBounded Buffer BIRprocess BoundedB() BoundedBuffer_ref = ref { BoundedBuffer_col, BoundedBuffer_col_0 }; BoundedBuffer_rec = record { bound_ : range -1..4; head_ : range -1..4; tail_ : range -1..4; BIRLock : lock wait reentrant; }; BoundedBuffer_col : collection [3] of BoundedBuffer_rec; BoundedBuffer_col_0 : collection [3] of BoundedBuffer_rec;…….……….loc s34: live { b2, b1, add_JJJCTEMP_0, add_JJJCTEMP_6, add_JJJCTEMP_8 } when true do invisible { add_JJJCTEMP_8 := (add_JJJCTEMP_6 % add_JJJCTEMP_8); } goto s35;loc s35: live { b2, b1, add_JJJCTEMP_0, add_JJJCTEMP_8 } when true do { add_JJJCTEMP_0.head_ := add_JJJCTEMP_8; } goto s36;loc s36: live { b2, b1, add_JJJCTEMP_0 } when true do { notifyAll(add_JJJCTEMP_0.BIRLock); } goto s37;loc s37: live { b2, b1, add_JJJCTEMP_0 } when true do { unlock(add_JJJCTEMP_0.BIRLock); } goto s38;
![Page 35: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/35.jpg)
Bounded Buffer PromelaBounded Buffer Promelatypedef BoundedBuffer_rec { type_8 bound_; type_8 head_; type_8 tail_; type_18 BIRLock; }
……loc_25: atomic { printf("BIR: 25 0 1 OK\n"); if :: (_collect(add_JJJCTEMP_0) == 1) -> add_JJJCTEMP_8 = BoundedBuffer_col. instance[_index(add_JJJCTEMP_0)].tail_; :: (_collect(add_JJJCTEMP_0) == 2) -> add_JJJCTEMP_8 = BoundedBuffer_col_0. instance[_index(add_JJJCTEMP_0)].tail_; :: else -> printf("BIR: 25 0 1 NullPointerException\n"); assert(0); fi; goto loc_26; }
![Page 36: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/36.jpg)
TranslatorsTranslators
Plug-in component that interfaces to specific model checker– Translates BIR to checker input language– Parses output of checker for error trace
Currently– SPIN, dSPIN, SMV translators complete– JPF (from NASA Ames) integrated– XMC, FDR translators in progress
![Page 37: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/37.jpg)
Case StudiesCase Studies Small examples thus far (< 2000 loc)
– illustrating use of property-pattern system and other components
Scheduler from DEOS real-time OS kernel– (1600, 22 classes, seven tasks)
Now trying systems up to 20,000 loc– collection of 15 open-source 100% pure Java – Jigsaw web-server from W3C– Tomcat, James (from Apache/Jakarta)
In general, 1-2 minutes for model extraction on (~2000k systems)
State space reductions can dramatically reduce cost
![Page 38: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/38.jpg)
SummarySummary
Bandera provides an open platform for experimentation Separates model checking from extraction
– uses existing model checkers
– supports multiple model checkers Specialize models for specific properties using
automated support for slicing, abstraction, etc. Designed for extensibility
– well-defined internal representations and interfaces We hope this will contribute to the definition of APIs for
software model-checkers
![Page 39: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/39.jpg)
Other Work on Other Work on Software Model-checkingSoftware Model-checking
Java
– JPF (NASA Ames)
– JCAT (Torino)
– Java to SAL (Stanford)
C
– SLAM (Microsoft Research)
– AX, FeaVer (Lucent)
![Page 40: Bandera: Extracting Finite-state Models from Java Source Code James Corbett Matthew Dwyer John Hatcliff Shawn Laubach Corina Pasareanu Robby Hongjun Zheng](https://reader036.vdocuments.pub/reader036/viewer/2022062517/56649f065503460f94c1b243/html5/thumbnails/40.jpg)
Current StatusCurrent Status
A reasonable subset of concurrent Java– not handled: recursive methods,
exceptions, inner classes, native methods, libraries(*)
Public release: October 2000
Demo tomorrow morningDemo tomorrow morning
http://www.cis.ksu.edu/santos/bandera