Download presentation
Presentation is loading. Please wait.
1
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam, A. Srivastava
2
package java.security; … public abstract class Signature extends java.security.SignatureSpi { > protected int state = UNINITIALIZED; public void initVerify (PublicKey publicKey) {…} public byte[] sign () throws SignatureException { ….} public boolean verify (byte[] signature) throws SignatureException { ….} public void update (byte b) throws SignatureException {…}.. } Static Interfaces for Java Classes
3
Dynamic Interface for Signature class Methods: InitVerify, InitSign, Sign, Verify, Update Rules on how to use the class so that SignatureException will not be thrown: InitVerify (InitSign) must be called just before Verify (Sign) is called (but Update can be called in between) Update cannot be called first S, U, IS V, U, IV IS IV IS
4
Dynamic Interface public Object next() { … lastRet = cursor++; …} public Object prev() { … lastRet = cursor; …} public void remove() { if (lastRet==-1) throw new IllegalExc(); … lastRet = -1; …} public void add(Object o) { … lastRet = -1; …} AbstractList.ListItr Start Unsafe Safe add next add remove,add next,prev
5
Why and What? Motivation: Interfaces are good formal summaries for The user of the class The programmer of the class: intentions, bugs, unavailability of usage patterns, etc. Code maintenance: when a class is changed, one can check if the interface has changed Goal: to automatically extract the dynamic interface from a Java class Abstraction phase to extract finite-state model Synthesis phase to generate the “correct” interface
6
Background: Software Model Checking via Abstraction Can we apply model checking to C programs? Tools like SPIN, SMV do powerful analysis of models, but constructing models is expensive, and models have no relation to code Given a program P, build an abstract finite-state (Boolean) model A such that set of behaviors of P is a subset of those of A (conservative abstraction) Basic ideas around for a while, but all components put together effectively only recently: SLAM, Bandera, Blast … Shown to be effective on Windows device drivers, Linux source code (about 10K lines of code)
7
Abstracting Software int x, y; if x>0 { ……. y:=x+1.…… } else { …… y:=x+1 …… } bx: x>0 by: y>0 Program bool bx, by; if bx { ……… by:=true ……… } else { ………… by:={true,false} ………. } Boolean Program
8
Game in Abstracted Program next prev From yellow states, Player0 gets to choose the input method call From purple states, Player1 gets to choose a path in the abstract program till call returns Objective for Player0: Ensure error states (from which exception can be raised) are avoided Winning strategy: Correct method sequence calls
9
JIST: Java Interface Synthesis Tool Boolean Jimple Java byte code Java JIMPLE Abstraction using predicates Soot
10
JIST: Java Interface Synthesis Tool Boolean JimpleInterface Can be set up as a (partial information) game Most general interface can be synthesized However, the most general interface could be very large!! (exponential in model) Challenge: Find a small readable interface
11
Interface Synthesis Goal Given a boolean abstraction of a JAVA class C, and number k, generate a state-machine I with at most k states that represents a correct interface to C. * Interface should be maximal in the sense that adding any edge to I gives a wrong interface.
12
Interface Synthesis Start with the most general interface I that allows all possible sequences of method calls Refine interface I using the counterexample. I should not exhibit this counterexample Model check C with the interface I No - counterexample Yes Determinize and minimize I. Output I
13
Interface Synthesis Start with the most general interface I that allows all possible sequences of method calls Refine interface I using the counterexample. I should not exhibit this counterexample Model check C with the interface I No - counterexample Yes Determinize and minimize I. Output I Heuristic NuSMV symbolic
14
Signature Class S, U, IS IV, IS V, U, IV IS IV IS 3 global variable predicates vars: 12 + 6(for pc) + 7(for interface) = 25 time: 20 seconds * *
15
ListItr Class (add, *) (next,0) (prev,0) (set, *) (next,1) (prev,1) (next, 1) (prev, 1) (add,1) (remove,1) 3 global variable predicates variables: 29 time: 5min 40s http://www.cis.upenn.edu/jist/eg/ListItr/ListItr.html http://www.cis.upenn.edu/jist/eg/ListItr/ListItr.html Intuitively, if a successful next or prev is executed, then: - arbitrary number of calls to set is allowed. - one call to add or remove is allowed Predicates: lastret = -1, cursor = 0, cursor =1
16
Related Work Lam et al. Synthesize interfaces by static analysis and dynamic ‘learning’ Not sound! Even if a user follows the interface, exceptions can occur Our approach Sound Tends towards completeness by using heuristics State-space exploration Static Analysis Full state-space exploration JIST
17
Future Work Improved abstraction phase Improving synthesis phase Symbolic computational techniques for solving partial information games Using learning algorithms for generating interfaces Abstraction refinement If Env does not invoke any method, exceptions can never be raised How to refine the current abstraction based on quality of current behavioral type? Improving the tool: Robustness, more experimentation Features of Java: Class hierarchy Multiple interrelated classes (pushdown games)
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.