Bogor Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Rockwell-Collins.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
ISBN Chapter 3 Describing Syntax and Semantics.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
ITEC200 Week02 Program Correctness and Efficiency.
Page 1 Building Reliable Component-based Systems Chapter 16 - Component based embedded systems Chapter 16 Component based embedded systems.
1 BOGOR – A Flexible Framework For Creating Model Checkers Presented by : Roli Shrivastava 20 March 2007.
Component-Level Design
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Software Testing and Quality Assurance
OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Describing Syntax and Semantics
Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.
Object-oriented design CS 345 September 20,2002. Unavoidable Complexity Many software systems are very complex: –Many developers –Ongoing lifespan –Large.
Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.
C++ fundamentals.
Programming Languages and Paradigms Object-Oriented Programming.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Chapter 1 Introduction Dr. Frank Lee. 1.1 Why Study Compiler? To write more efficient code in a high-level language To provide solid foundation in parsing.
Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.
Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
Lecture 2 Object Oriented Programming Basics of Java Language MBY.
Model-Driven Analysis Frameworks for Embedded Systems George Edwards USC Center for Systems and Software Engineering
CSE 219 Computer Science III Program Design Principles.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
1 5 Nov 2002 Risto Pohjonen, Juha-Pekka Tolvanen MetaCase Consulting AUTOMATED PRODUCTION OF FAMILY MEMBERS: LESSONS LEARNED.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.
Modeling Component-based Software Systems with UML 2.0 George T. Edwards Jaiganesh Balasubramanian Arvind S. Krishna Vanderbilt University Nashville, TN.
Model construction and verification for dynamic programming languages Radu Iosif
Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.
An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
Introducing Allors Applications, Tools & Platform.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Semantics In Text: Chapter 3.
1 CSCD 326 Data Structures I Software Design. 2 The Software Life Cycle 1. Specification 2. Design 3. Risk Analysis 4. Verification 5. Coding 6. Testing.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,
1 Bogor – Software Model Checking Framework Presented by: Arpita Gandhi.
1 Technical & Business Writing (ENG-715) Muhammad Bilal Bashir UIIT, Rawalpindi.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Formal Methods in Software Engineering1 Today’s Agenda  Mailing list  Syllabus  Introduction.
Object Design More Design Patterns Object Constraint Language Object Design Specifying Interfaces Review Exam 2 CEN 4010 Class 18 – 11/03.
Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 5: Implementing Data Abstractions.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
UML Diagrams By Daniel Damaris Novarianto S..
Current Generation Hypervisor Type 1 Type 2.
OO Methodology OO Architecture.
Model Checking Software Using The Bogor Framework
Space-Reduction Strategies for Model Checking Dynamic Software
Model Checking Software Using The Bogor Framework
Real-time Software Design
Introduction to Data Structure
Java Modeling Language (JML)
The Bogor Model Checking Framework
From Use Cases to Implementation
Presentation transcript:

Bogor Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Rockwell-Collins ATC Boeing Lockheed Martin IBM An Extensible and Highly Modular Software Model-Checking Framework SAnToS Laboratory, Kansas State University, USA Matthew Dwyer John Hatcliff Robby Radu Iosif William Deng Edwin Rodriguez

Research Context Working on a variety of techniques static analysis, model-checking, run-time monitoring code level, architectural design level Aiming for robust tools built on solid semantic foundations open source, close to commercial quality Interacting intensively with domain experts research teams at Boeing (St. Louis), Rockwell-Collins, and Lockheed-Martin real-time middleware developers (Vanderbilt, Wash U (ACE-TAO), UC Irvine (Zen) Integration into development process ease of use and scalability sometimes take precedence over theoretical elegance most of the time, focus is on bug-finding rather than true verification SAnToS Laboratory, Kansas State University

Broad Overview being rebuilt from the ground up testing on significant code bases core model-checking engine technical work heap/thread symmetry sophisticated partial-order reductions for OO software large collection of course materials meta-modeling & software architectures variety of development tools for CCM, EJB, DRE Component Models (PRiSM from Boeing) dependency analysis techniques for concurrent Java and architectural designs security (information flow) applications automatic customization tools Indus

Bogor

Bogor – Software Model Checking Framework

Bogor – Direct support for OO software unbounded dynamic creation of threads and objects automatic memory management (garbage collection) virtual methods, … …, exceptions, etc. supports virtually all of Java thread & heap symmetry compact state representation partial order reduction techniques driven by object escape analysis locking information Extensive support for checking concurrent OO software Direct support for… Software targeted algorithms…

Tool Development Framework Bogor – Eclipse-based Tool Components Architecture allows encapsulation/integration with other verification tools using IBM’s Eclipse Integrated Development Environment Cadena CORBA Component Model verification Next generation of Bandera Java Model- checking Tool Set SpEx JML Verification, etc.

Bogor – Domain Specific Model-Checking Extensible modeling language and plug-in architecture allows Bogor to be customized to a variety of application domains Modeling language and Algorithms easily customized to different domains Domain YDomain Z Domain X

Variety of Application Domains Hardware Device Drivers Avionics Automotive Telephony GUI

Leveraging Domain Knowledge Holzmann developed a customized model extraction from C to Spin Translation using pattern matching of particular domain idioms In essence, an abstract machine for a particular domain Very effective at finding subtle defects Lucent Path Star Telephone Switch Lucent Path Star Telephone Switch

Model Checker Variety of System Descriptions Design Notations Byte code State Machines Source code Different levels of abstraction!

Abstract machine tailored to domain and level of abstraction The Goal Model-checking Engine Avionics State Machines Domain & Abstraction Extensions

Abstract machine tailored to domain and level of abstraction The Goal Model-checking Engine Domain & Abstraction Extensions Device Drivers Source code Domain & Abstraction Extensions

Abstract machine tailored to domain and level of abstraction The Goal Model-checking Engine Domain & Abstraction Extensions Domain & Abstraction Extensions Automotive Design Notations Domain & Abstraction Extensions

Domain-Specific Model-Checking Bogor -- Extensible Modeling Language Core Modeling Language Threads, Objects, Methods, Exceptions, etc. + Extensions Sets Queues Tables RT CORBA Event Service API Abstraction Domain-specific Abstractions + Real-time Scheduling Quasi-cyclic Search Partial State Representation Bogor -- Customizable Checking Engine Modules Scheduling Strategy State-space Exploration State-space Representation Core Checker Modules Customized Checker Modules …existing modules…

Outline of Talk moving beyond assertions & temporal logic SpEx – checking JML specifications Adding support for concurrency to JML avionics mission-control domain model-checking engine for Cadena environment for CORBA Component Model development extension abstracts real-time CORBA event-channel layer II. Checking strong specs for OO programs III. A complex Bogor extension I. A simple Bogor extension a simple version of symmetric sets

Modeling Language Extensions Bogor allows definitions of new abstract types and abstract operations as first-class constructs extension Set for SetModule { typedef type ; expdef Set.type create (‘a...); expdef ‘a choose (Set.type ); actiondef add (Set.type, ‘a); expdef boolean forAll(‘a -> boolean, Set.type ); } A new type to represent polymorphic symmetric sets

Modeling Language Extensions Bogor allows definitions of new abstract types and abstract operations as first-class constructs extension Set for SetModule { typedef type ; expdef Set.type create (‘a...); expdef ‘a choose (Set.type ); actiondef add (Set.type, ‘a); expdef boolean forAll(‘a -> boolean, Set.type ); } Variable arity function for creating symmetric sets

Modeling Language Extensions Bogor allows definitions of new abstract types and abstract operations as first-class constructs extension Set for SetModule { typedef type ; expdef Set.type create (‘a...); expdef ‘a choose (Set.type ); actiondef add (Set.type, ‘a); expdef boolean forAll(‘a -> boolean, Set.type ); } Non-deterministically pick an element of the set to return

Modeling Language Extensions Bogor allows definitions of new abstract types and abstract operations as first-class constructs extension Set for SetModule { typedef type ; expdef Set.type create (‘a...); expdef ‘a choose (Set.type ); actiondef add (Set.type, ‘a); expdef boolean forAll(‘a -> boolean, Set.type ); } Higher-order function implements quantification over set elements Predicate on set element Set value to interate over

Java methods implementing actions and expressions Extension Implementation Extensions are implemented by associating each item in extension interface with Java methods that provide the semantics for the item (or state-vector storage representation in case of state). extension Set for SetModule { typedef type ; expdef Set.type create (‘a...); expdef ‘a choose (Set.type ); actiondef add (Set.type, ‘a); expdef boolean forAll(‘a -> boolean, Set.type ); } extension Set for SetModule { typedef type ; expdef Set.type create (‘a...); expdef ‘a choose (Set.type ); actiondef add (Set.type, ‘a); expdef boolean forAll(‘a -> boolean, Set.type ); } Extension Implementation Java implementation of set value and linearized (state-vector) representation.

Extension Implementation public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type

Extension Implementation public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type Implement Bogor interface for non-primitive value

Extension Implementation public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type Reuse Java collection to implement set

Extension Implementation public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type Implementation of add operation

Extension Implementation public class MySet implements INonPrimitiveExtValue { protected HashSet set = new HashSet(); protected boolean isNonPrimitiveElement; public void add(IValue v) { set.add(v); } public byte[][] linearize(..., int bitsPerNPV, ObjectIntTable npvIdMap) { Object[] elements = set.toArray(); BitBuffer bb = new BitBuffer(); if (isNonPrimitiveElement) { int[] elementIds = new int[elements.length]; for (int i = 0; i < elements.length; i++) elementIds[i] = npvIdMap.get(elements[i]); Arrays.sort(elementIds); for (int i = 0; i < elements.length; i++) bb.append(elementIds[i], bitsPerNPV); } else... return new byte[][] { bb.toByteArray() }; }... Implementing the set value for the set type Constructs a bit vector that represents the set instead of encoding the HashSet instance Constructs a bit vector that represents the set instead of encoding the HashSet instance See Bogor web site for extensive tutorial (PowerPoint slides) and the paper ”Bogor: An extensible and highly modular software model-checking framework”

Outline of Talk avionics mission-control domain model-checking engine for Cadena environment for CORBA Component Model development extension abstracts real-time CORBA event-channel layer III. A complex Bogor extension I. A simple Bogor extension a simple version of symmetric sets moving beyond assertions & temporal logic SpEx – checking JML specifications Adding support for concurrency to JML II. Checking strong specs for OO programs

Assertions for Software Verification Use of assertions has become common practice among developers 10 years ago assertions were not considered useful by developers evidence of the effectiveness of assertions David Rosenblum (1995) now some programming languages have included assertions in their standard specifications c.f. Java 1.4 assertions

protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } public Object take() { Object x = extract(); if (x != null) return x; else … } public class LinkedNode { public Object value; public LinkedNode next; public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } public boolean isEmpty() { synchronized (head) { return head.next == null; } public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } Concurrent Queue based on Linked List (Doug Lea’s util.concurrent package) … allows concurrent access to put() and take() assert(x != null);

An example public class LinkedNode { public Object value; public LinkedNode next; public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } public boolean isEmpty() { synchronized (head) { return head.next == null; } public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } public Object take() { Object x = extract(); if (x != null) return x; else … } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0;. Specify that putLock is never null

protected synchronized Object extract() { assert(putLock != null); synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } assert(putLock != null); } protected void insert(Object x) { assert(putLock != null); synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } assert(putLock != null); } public Object take() { assert(putLock != null); Object x = extract(); if (x != null) return x; else … assert(putLock != null); } An example public class LinkedNode { public Object value; public LinkedNode next; public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; public LinkedQueue() { assert(putLock != null); putLock = new Object(); head = new LinkedNode(null); assert(putLock != null); } public boolean isEmpty() { assert(putLock != null); synchronized (head) { return head.next == null; } assert(putLock != null); } public void put(Object x) { assert(putLock != null); if (x == null) throw new IllegalArgumentException(); insert(x); assert(putLock != null); } Specify that putLock is never null Need more declarative formalisms

Specification Languages We want specification languages that have a rich set of primitives for observing program state heap-allocated objects, concurrency, etc. make it easy to write useful specifications support lightweight and deep-semantic specifications be checkable using a variety of analysis techniques static analysis, theorem proving, etc.

Java Modeling Language (JML) Developed by G. Leavens and other colleagues at Iowa State University very rich set of operators, especially for describing complex heap properties \reach(r), \forall(), \old(), etc. support for specifications with varying degrees of complexity lightweight vs. heavyweight specifications has been checked with a variety of different techniques so far, static analysis, theorem proving and runtime checking Emerging as a standard specification language for Java within the research community

Java Modeling Language (JML) public class LinkedNode { public Object value; public LinkedNode next; public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } public boolean isEmpty() { synchronized (head) { return head.next == null; } public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } public Object take() { Object x = extract(); if (x != null) return x; else … } protected void insert(Object x) { assert(x != null); synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } requires x != null; protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; }

protected synchronized Object extract() { assert(putLock != null); synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } assert(putLock != null); } protected void insert(Object x) { assert(putLock != null); synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; } assert(putLock != null); } public Object take() { assert(putLock != null); Object x = extract(); if (x != null) return x; else … assert(putLock != null); } An example public class LinkedNode { public Object value; public LinkedNode next; public LinkedNode(Object x) { value = x; } } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; public LinkedQueue() { assert(putLock != null); putLock = new Object(); head = new LinkedNode(null); assert(putLock != null); } public boolean isEmpty() { assert(putLock != null); synchronized (head) { return head.next == null; } assert(putLock != null); } public void put(Object x) { assert(putLock != null); if (x == null) throw new IllegalArgumentException(); insert(x); assert(putLock != null); } public class LinkedQueue { protected final Object putLock;.

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } Frame conditions – can only assign to these variables.

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } Post condition – the result of the method is null, or…

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } there exists an instance n of the class LinkedNode (existential quantification of heap data) there exists an instance n of the class LinkedNode (existential quantification of heap data)

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } look at the “pre-state” – the state of the execution when the method was entered

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } in the pre-state, form the set of objects that are reachable via object references from head field

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } the set of objects reachable from head in the pre-state has n in it (i.e., n is a member of the set)

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } the value in the n node matches the method result

public class LinkedNode { public Object value; public LinkedNode next; ensures value == public LinkedNode(Object x) { value = x; } public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0; instance invariant waitingForTake >= 0; instance invariant \reach(head).has(last); assignable head, last, putLock, ensures \fresh(head, putLock) && head.next == public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); } ensures \result head.next == public boolean isEmpty() { synchronized (head) { return head.next == null; } requires n != assignable last, protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; } requires x != ensures also requires x == signals (Exception e) e instanceof public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); } protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } requires x != ensures last.value == x && protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } Java Modeling Language (JML) … ability to make deep-semantic specifications assignable head, ensures \result == null || (\exists LinkedNode n.value == && protected synchronized Object extract() { synchronized(head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; } the set of objects reachable from head in the final state does not have n in it.

Bogor Specs like this haven’t been checked with model-checking before… What makes Bogor well-suited for checking JML? Can we check JML efficiently? Questions…

Bogor’s Heap Representation Key Points… …explicit heap representation State …transition may create new objects, garbage, etc. Heap …garbage is eliminated …precise heap model …after each transition, a topological sort gives heap objects a canonical order Canonical heap …sort walks over heap, canonicalizes, and collects info …precise alias information …have access to all visited states (but, efficiently stored using collapse compression)

Bogor’s Heap Representation — Enables JML Specs Check Key Points… … many JML features are easy to support in Bogor State …transition may create new objects, garbage, etc. Heap …can easily compare objects in methods pre/post-states (c.f., \old) …precise alias information (c.f., assignable) Canonical heap …sort walks over heap, canonicalizes, and collects info …precise heap model (c.f., \reach)

Assessment The ability to state strong properties of heap- allocated data (as JML enables) is very useful complementary to techniques developed by UPenn team (JIST) which focus on synthesizing ordering constraints on calls to Java interfaces Bogor’s native support for OO features, explicit- state representation and extension facility enable JML property checking to be implemented fairly easily Bogor’s sophisticated partial-order reduction strategies (rely on dynamic escape and lock- pattern analysis) enable checking to be carried out efficiently for software units.

JML Reasoning Tools and Technologies JMLc/Testing Theorem Proving … m(…) { assume pre-conditions … … … … … … prove post-conditions } … m(…) { } Environment manipulate formulas checking that specifications are satisfied for particular traces generated by the environment (test harness) checking that specifications are satisfied for particular traces generated by the environment (test harness) SPeX/Bogor (!)

Experiments without reductions w/ JML w/o JML Test Platform JDK (32-bit mode) on a 2 GHz Opteron with maximum heap of 1 GB running Linux (64-bit mode) Checking JML specs adds 20-40% overhead A bad case… 300%

Bogor’s Reduction Algorithms — Enables Checking JML Specs Indicates little overhead compared with simply exploring the state-space w/ JML w/o JML w/ JML w/o JML w/ POR w/o POR 8 hrs  1.5 mins

Tool Development Framework Bogor – Eclipse-based Tool Components Architecture allows encapsulation/integration with other verification tools using IBM’s Eclipse Integrated Development Environment Cadena CORBA Component Model verification Next generation of Bandera Java Model- checking Tool Set SpEx JML Verification, etc.

JMLEclipse JML syntax highlighting JML well-formedness checking Working with a number of groups in JML community to integrate static analysis and theorem-proving based tools into a single framework.

Outline of Talk avionics mission-control domain model-checking engine for Cadena environment for CORBA Component Model development extension abstracts real-time CORBA event-channel layer III. A complex Bogor extension I. A simple Bogor extension a simple version of symmetric sets moving beyond assertions & temporal logic SpEx – checking JML specifications Adding support for concurrency to JML II. Checking strong specs for OO programs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.