Professional Documents
Culture Documents
Bandera: Extracting Finite-State Models From Java Source Code
Bandera: Extracting Finite-State Models From Java Source Code
Bandera: Extracting Finite-State Models From Java Source Code
6
Property Specification Window
Source Window
7
class Heap f class Connector f class Stage1 extends Thread f
static Connector c1,c2,c3,c4; public int queue = -1; public void run() f
g public synchronized int take() f int tmp = -1;
int value; while (tmp != 0)
class Main f while ( queue < 0 ) if ((tmp=Heap.c1.take()) != 0)
static public void main ( try f wait(); g Heap.c2.add(tmp+1);
String argv[]) f catch (InterruptedException ex) fg Heap.c2.stop();
Heap.c1 = new Connector(); value = queue; g ??
Heap.c2 = new Connector(); queue = -1; g
(new Stage1()).start(); return value; class Stage2 extends Thread f...g
Heap.c3 = new Connector(); g class Stage3 extends Thread f...g
(new Stage2()).start(); public synchronized void add(int o) f class Listener extends Thread f
Heap.c4 = new Connector(); queue = o; public void run() f
(new Stage3()).start(); notifyAll(); int tmp = -1;
(new Listener()).start(); g while (tmp != 0)
for (int i=1; i<10; i++) public synchronized void stop() f if ((tmp=Heap.c4.take()) != 0)
Heap.c1.add(i); queue = 0; System.out.println(
Heap.c1.stop(); ? notifyAll(); "output is " + tmp);
g g g
g g g
Figure 3: Threaded Pipeline in Java
is not supported. extracted from the basic program with no transforma-
We checked two kinds of properties for this system re- tions.
lated to the proper shutdown of pipelined computa- The data shows the benets of property-directed slicing
tions. The properties specify (i) the eventual shutdown and abstraction in model extraction. We performed a
of a pipeline stage in response to a call to stop on the single transformation-less extraction, which essentially
pipeline's input Connector and (ii) that a stage does transliterates the program to Promela and checks it with
not prematurely shutdown. For Stage1 property (i) is Spin. Sliced extractions are driven completely automat-
expressed as a global, response property in LTL as: ically o of the temporal logic specication. Slicing on
2(Heap.c1.stop() ! 3 Stagei.run:return ) property (r1) is able to eliminate all of the components
and property (ii) is expressed as a global, precedence shown in the faded font in Figure 3. As the data in-
property in LTL as: dicates this yields dramatic performance improvement,
3 Heap.c1.stop() ! (: Stagei.run:return U but that the improvement is dependent on the prop-
( Heap.c1.stop() ^: Stagei.run:return)) erty being checked. The response property for Stage2
The primitive propositions in these formula are ex- requires that the run method for that class and the
pressed as collections of locations in the source code Heap.c2 variable be included in the slice. Only one
and are indicated by the ?s in Figure 3. The BUI al- abstraction was applied for this program. The queue
lows users to point-and-click to identify such locations, eld of the Connector object is abstracted to Signs
in Figure 2 the last line of main was selected (its line which manipulates tokens Neg, Zero, Pos and >. The
number, 11, appears in the LTL formula). collapsing of data states with this abstraction further
Table 4 shows data for checking several of the proper- reduces the state space and check times. In fact, for
ties described above using Bandera. The table gives the the properties we checked, the models extracted with
total time required to extract the model from code, to abstraction do not depend on the number or size of the
check that model on the property using Spin, the result values added to the pipeline in the main loop. Since
of the model check, and the number of states searched. slicing is driven o the propositions in the specication,
The times given are user plus system time, rounded to and not its structure, the models for (b,r1) and (b,p1)
the nearest second, for Bandera 0.3 and Spin 3.3.5 run- are the same although the structure of the property has
ning on a 450 Mhz Pentium II Xeon running Linux. We a small impact on state space and check time. Finally,
used two variations of the program: the code in Figure 3 the extracted models for (d,r1) illustrate that the model
is the basic version (b) and a defective variant was cre- extraction process preserves defects in the source code.
ated by inverting Stage1's loop exit condition (d). The In summary, this data illustrates how Bandera can sup-
properties are instances of the response (r) and prece- port scaling the application of verication tools. Since
dence (p) properties from above indexed by the stage the complexity of the algorithms used in Bandera are
number. Three dierent extractions were tried using no typically much lower than the complexity of most nite-
transformations (n), slicing (s) and slicing and abstrac- state verication algorithms, in practice, this should al-
tion (a). We identify a problem by using the letter for low properties of signicantly larger systems to be ver-
the problem, property and extraction, e.g., \b,r1,n" is ied.
the response property for Stage1 checked on a model
8
Problem Extract Check Check States dening pairs of C and Promela code patterns. When
Time (s) Time (s) Result the C pattern is detected, the Promela pattern is instan-
b,r1,n 24 2674 true 7338120 tiated and output. In this way, the user can control the
b,r1,s 13 4 true 3478 abstraction process, but there is no assurance about the
b,r1,a 15 4 true 895 information that is encoded in the model since the pat-
b,r2,s 13 56 true 528059 terns have no semantics attached to them. Nevertheless,
b,r2,a 16 11 true 27519 users can debug their patterns over a period of time and
b,p1,s 13 4 true 2507 the resulting model extraction process has proven eec-
b,p1,a 15 4 true 331 tive for production C programs in telecommunications
d,r1,s 13 3 false 88 applications.
d,r1,a 15 2 false 17 Huch [18] has built a dedicated model-checker for a
subset of Erlang { an untyped higher-order concurrent
Figure 4: Bandera Pipeline Data functional language with asynchronous communication
primitives. For state space reduction, he uses a sin-
gle abstract interpretation that approximates the set
Extraction of compact models is crucial for practical of data constructors that
ow into expressions at run-
application of nite-state verication to software. Con- time. When one restricts the recursion in programs
cise presentation of diagnostic information provided by to a reasonable generalization of tail-recursion, the ab-
veriers is just as important. For example, the 159 stract interpretation is guaranteed to give a nite-state
statement long counter-example that is being navigated model. Given such a model, properties such as mutual
through in Figure 2 corresponds to a 1780 step counter- exclusion and absence of deadlock and livelock can be
example in the underlying Promela model. checked. Given the untyped nature of the language, it
is not clear to us how would one obtain more eective
Here we reported data for a Connector with a capacity abstract interpretation by using multiple abstractions
of one value implemented as a single integer. We have tailored to given specications rather than the single
applied Bandera to versions of this program where the uniform abstraction used by Huch. However, the tech-
Connector is implemented as a circular buer of xed niques used to treat recursion might be used for Java.
size and as an instance of java.util.Vector. In both Huch gives some of the same advantages and disadvan-
these latter cases, the arrays that store the actual val- tages of this monolithic approach that we noted in the
ues could be sliced away, leaving only the elds that de- introduction. For example, he notes that he must recode
termine emptiness; these elds appear in the condition model-checking optimizations such as partial-order re-
used for waiting to take values from the Connector. ductions in his system. However, he argues that work-
5 RELATED WORK ing at the level of Erlang instead of e.g., a generated
There has been a signicant amount of activity in the Promela description, will allow easier detection of the
past years on attempting to provide tool support for the cases where such optimizations can be applied.
translation of software system descriptions to the input Several model checking tools have begun to apply tradi-
languages of verication tools. There are three major tional compiler optimizations, such as dead code elimi-
eorts in this area: JavaPathFinder [13], JCAT [4], and nation and live-variable analyses, to optimize the check-
Feaver [16]. ing process [6, 15]. Bandera incorporates a sophisti-
The rst two tools transliterate Java programs to cated infra-structure for implementing such analyses
Promela programs. Since Promela is a very rich model and transformations. We plan to use this infra-structure
description language the semantic gap is not nearly as to enable importation of techniques developed in com-
great as for some other model checker input languages, piler research to experiment with model extraction for
e.g., SMV. Each of these tools handle a signicant por- programs with recursive data and methods, e.g., by ex-
tion of Java including dynamic object allocation, object ploiting shape analyses [2].
references, exception processing, and inheritance. The 6 CONCLUSIONS
weakness of these tools is their inability to signicantly We have described the design and implementation of
compress the Promela program based on the property Bandera: a tool for model checking Java source code.
to be checked, so as to enable tractable model check- Bandera uses a component-based architecture for model
ing for non-trivial programs. This is one of the major extraction designed to maximize scalability,
exibility,
design goals of Bandera. and extensibility. We have discussed how several tech-
Feaver is a system for extracting Promela programs from nologies that have been well-studied in software engi-
annotated C programs for checking with Spin. Feaver neering and programming languages research can be
allows the user to congure the extraction process by adapted and integrated to provide an eective model
9
extraction capability. The current implementation can [8] J. Hatcli, J. C. Corbett, M. B. Dwyer, S. Sokolowski, and
handle a realistic, albeit limited, class of Java programs H. Zheng. A formal study of slicing for multi-threaded pro-
and we have illustrated the potential for model extrac- grams with JVM concurrency primitives. In Proceedings of
the 6th International Static Analysis Symposium (SAS'99),
tion to enable nite-state verication of source code. Sept. 1999.
We are currently working to enrich the features sup- [9] J. Hatcli, M. B. Dwyer, and S. Laubach. Staging static
ported by Bandera in anticipation of a general pub- analysis using abstraction-based program specialization. In
LNCS 1490. Principles of Declarative Programming 10th In-
lic release of the tool-set in the summer of 2000 (see ternational Symposium, PLILP'98, Sept. 1998.
http://www.cis.ksu.edu/~santos/bandera for addi- [10] J. Hatcli, M. B. Dwyer, S. Laubach, and N. Muhammad.
tional information about Bandera and the current state Specializing congurable systems for nite-state verication.
of the tool-set). This work involves, for example, han- Technical Report 98-4, Kansas State University, Department
dling more features of Java (e.g., interfaces, user-thrown of Computing and Information Sciences, 1998.
exceptions), integrating support for abstracting entire [11] J. Hatcli, M. B. Dwyer, and H. Zheng. Slicing software for
classes, rather than abstracting the individual elds model construction. Higher-order and Symbolic Computa-
tion, 2000. to appear.
of the class, and supporting additional veriers (e.g., [12] K. Havelund, M. Lowry, and J. Penix. Formal analysis of a
Stanford's forthcoming SAL model checker and CMU's space craft controller using SPIN. In Proceedings of the 4th
bounded satisability model checker). International SPIN Workshop, Nov. 1997.
By providing automated support for extracting compact [13] K. Havelund and T. Pressburger. Model checking Java pro-
grams using Java PathFinder. International Journal on Soft-
nite-state models of source code, tools like Bandera ware Tools for Technology Transfer, 1999. to appear.
lower the barriers to applying model checking to soft- [14] G. J. Holzmann. The model checker SPIN. IEEE Transac-
ware. We hope this will facilitate the transfer of this tions on Software Engineering, 23(5):279{294, May 1997.
technology from research to practice and provide devel- [15] G. J. Holzmann. Engineering a model checker : The Gnu
opers with a very powerful tool for error detection. i-protocol case study revisited. In Theoretical and Applied
Aspects of SPIN Model Checking (LNCS 1680), Sept. 1999.
ACKNOWLEDGEMENTS [16] G. J. Holzmann and M. H. Smith. Software model check-
The authors would like to thank David Schmidt and ing : Extracting verication models from source code. In
George Avrunin for numerous discussions about the Proceedings of FORTE/PSTV'99, Nov. 1999.
foundations for and design of Bandera. This work was [17] S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing
supported in part by NSF under grants CCR-9407182, using dependence graphs. ACM Transactions on Program-
CCR-9703094, CCR-9708184 and CCR-9901605, by ming Languages and Systems, 12(1):26{60, Jan. 1990.
NASA under grant NAG-02-1209, and by Sun Microsys- [18] F. Huch. Verication of Erlang programs using abstract
tems under grant EDUD-7824-00130-US. interpretation and model checking. In Proceedings of the
Fourth ACM SIGPLAN International Conference on Func-
REFERENCES tional Programming (ICFP'99), pages 261{272, Sept. 1999.
[19] D. Jackson and C. A. Damon. Elements of style: Analyzing
[1] J. C. Corbett. Evaluating deadlock detection methods for a software design feature with a counterexample detector.
concurrent software. IEEE Transactions on Software Engi- IEEE Transactions on Software Engineering, 22(7):484{495,
neering, 22(3), Mar. 1996. July 1996.
[2] J. C. Corbett. Constructing compact models of concurrent [20] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and
Java programs. In M. Young, editor, Proceedings of the 1998 Concurrent Systems: Specication. Springer-Verlag, 1991.
International Symposium on Software Testing and Analysis
(ISSTA). ACM Press, March 1998. [21] K. McMillan. Symbolic Model Checking. Kluwer Academic
Publishers, 1993.
[3] P. Cousot and R. Cousot. Abstract interpretation: A unied [22] S. Owre, J. M. Rushby, and N. Shankar. PVS: A prototype
lattice model for static analysis of programs by construction verication system. In Proceedings of the 1th International
or approximation of xpoints. In Conference Record of the Conference on Automated Deduction (LNCS 607), 1992.
Fourth Annual ACM Symposium on Principles of Program-
ming Languages, pages 238{252, 1977. [23] R. Valle-Rai, L. Hendren, V. Sundaresan, P. Lam,
[4] C. Demartini, R. Iosif, and R. Sisto. A deadlock detection E. Gagnon, and P. Co. Soot - a Java optimization frame-
tool for concurrent Java programs. Software - Practice and work. In Proceedings of CASCON'99, Nov. 1999.
Experience, 29(7):577{603, July 1999.
[5] D. L. Dill, A. J. Drexler, A. J. Hu, and C. H. Yang. Protocol
verication as a hardware design aid. In IEEE International
Conference on Computer Design, October 1992.
[6] Y. Dong and C. Ramakrishnan. An optimizing com-
piler for ecient model checking. In Proceedings of
FORTE/PSTV'99, Nov. 1999.
[7] M. Dwyer, G. Avrunin, and J. Corbett. Patterns in property
specications for nite-state verication. In Proceedings of
the 21st International Conference on Software Engineering,
May 1999.
10