october 5, 2005 chet 1 efficient checking of component specifications in java systems steven p....

October 5, 2005 CHET 1

Efficient Checking of Efficient Checking of Component Component

SpecificationsSpecifications in Java Systems in Java Systems

Steven P. ReissSteven P. Reiss

Brown UniversityBrown University

April 19, 2023 CHET 2

Our GoalOur Goal To Improve ProgrammingTo Improve Programming

More reliableMore reliable More secureMore secure More robustMore robust More understandableMore understandable EasierEasier

To Deal With Real SystemsTo Deal With Real Systems Not yesterday’sNot yesterday’s Some today’sSome today’s Worrying about tomorrow’sWorrying about tomorrow’s


Model CheckingModel Checking Is the next great thing for Is the next great thing for

programmersprogrammers Will find all our bugs automaticallyWill find all our bugs automatically Will fix all our problemsWill fix all our problems

But with minor exceptions it is not usedBut with minor exceptions it is not used Not on an everyday basisNot on an everyday basis Not for everyday programsNot for everyday programs Not by most programmersNot by most programmers

What is needed hereWhat is needed here Must be “automatic” -- no effort requiredMust be “automatic” -- no effort required Must be fast -- “compilation speed”Must be fast -- “compilation speed” Must be helpful -- accurate, preciseMust be helpful -- accurate, precise


The Problem of The Problem of ComponentsComponents

Java programs are built on class librariesJava programs are built on class libraries Standard java librariesStandard java libraries Open source librariesOpen source libraries Libraries created for an applicationLibraries created for an application

Creators know how they should be usedCreators know how they should be used Each has its own pattern of usageEach has its own pattern of usage Typically fail if not used correctlyTypically fail if not used correctly

Make sure they are used correctlyMake sure they are used correctly Throughout the programThroughout the program Each instanceEach instance StaticallyStatically With “real” Java programsWith “real” Java programs


The SolutionThe Solution

Create a ComponentSpecification Language

Find Instances ofComponent Usage

Check Each Instancefor Validity


Specification LanguageSpecification Language Define how components should be Define how components should be

usedused In a way that matches their useIn a way that matches their use Once for all potential instancesOnce for all potential instances

So that it can be done by programmersSo that it can be done by programmers And the specification can be understoodAnd the specification can be understood

SolutionSolution Use finite automata Use finite automata

Over parameterized program eventsOver parameterized program events Matches call sequences, variable usage, etc.Matches call sequences, variable usage, etc.


Specification InstancesSpecification Instances Components are used multiple timesComponents are used multiple times

List, Iterator, XmlWriter, …List, Iterator, XmlWriter, … Need to handle each use separatelyNeed to handle each use separately Uses must be found automaticallyUses must be found automatically

As specific as possible (statically)As specific as possible (statically) SolutionSolution

Using flow analysis over the class filesUsing flow analysis over the class files Trigger events define instancesTrigger events define instances Other events used in particular Other events used in particular

instancesinstances


Checking SpecificationsChecking Specifications Each instance must be checkedEach instance must be checked

IndependentlyIndependently To ensure the specification is metTo ensure the specification is met

SolutionSolution Create a simple model program per Create a simple model program per

instanceinstance Check if model program meets Check if model program meets

specificationspecification Using model checking techniquesUsing model checking techniques

Do all this efficientlyDo all this efficiently


Keeping this PracticalKeeping this Practical Most components are used through callsMost components are used through calls

Control flow determines call sequencesControl flow determines call sequences Data flow determines which callsData flow determines which calls

Most component usage is single threadedMost component usage is single threaded Can often ignore thread interactionsCan often ignore thread interactions

This is simpler than the general problemThis is simpler than the general problem Need to track fewer variablesNeed to track fewer variables Need to worry less about variable valuesNeed to worry less about variable values Need to worry less about interweavingNeed to worry less about interweaving


CHET OverviewCHET Overview

Specifications ApplicationFlow

Analysis

Instances

Abstract ProgramBuilder

ProgramChecker

Report


Iterator UsageIterator Usage

E1 (New) -- TRIGGERE1 (New) -- TRIGGER RETURN(iterator)RETURN(iterator) C1 = resultC1 = result

E2 (HasNext)E2 (HasNext) CALL (hasNext)CALL (hasNext) this = C1this = C1

E3 (Next)E3 (Next) CALL (next)CALL (next) this = C1this = C1

E4 (HasMore)E4 (HasMore) CALL CALL (hasMoreElements)(hasMoreElements) this = C1this = C1

E5 (NextElt)E5 (NextElt) Call(nextElement)Call(nextElement) this = C1this = C1


Comodification CheckingComodification Checking

E1 (New) -- TRIGGERE1 (New) -- TRIGGER ALLOC (Vector)ALLOC (Vector) C1 = resultC1 = result

E2 (Add)E2 (Add) CALL (add)CALL (add) this = C1this = C1

E3 (Add1)E3 (Add1) CALL (addElement)CALL (addElement) this = C1this = C1

E4 (Add2)E4 (Add2) CALL (addAll)CALL (addAll) this = C1this = C1

E5 (Iter)E5 (Iter) RETURN (iterator)RETURN (iterator) this = C1, C2 = returnthis = C1, C2 = return

E6 (Next)E6 (Next) CALL (next)CALL (next) this = C2this = C2

E7 (Next1)E7 (Next1) CALL (nextElement)CALL (nextElement) this = C2this = C2


Xml Writer UsageXml Writer Usage

E0 (New) -- TRIGGERE0 (New) -- TRIGGER ALLOC (XmlWriter)ALLOC (XmlWriter) C1 = newC1 = new

E1 (Begin)E1 (Begin) CALL (begin)CALL (begin) this = C1this = C1

E2 (End)E2 (End) CALL (end)CALL (end) this = C1this = C1

E3 (Field)E3 (Field) CALL (field)CALL (field) this = C1this = C1

E4 (Cdata)E4 (Cdata) CALL (cdata)CALL (cdata) this = C1this = C1

E5 (Text)E5 (Text) CALL (text)CALL (text) this = C1this = C1

E6 (Xml)E6 (Xml) CALL (writeXml)CALL (writeXml) this = C1this = C1

E7 (Close)E7 (Close) CALL (close)CALL (close) this = C1this = C1


File Open-CloseFile Open-Close

E1 (Create) - E1 (Create) - TT

ALLOC ALLOC (FileWriter)(FileWriter) C1 = newC1 = new

E2 (Open)E2 (Open) RETURN (<init>)RETURN (<init>) this = C1this = C1


E4 (Nest)E4 (Nest) CALL (<init>)CALL (<init>)arg1 = arg1 = C1,C1,

C2 = thisC2 = this

E5 E5 (CloseNext)(CloseNext) CALL (close)CALL (close) this = C2this = C2

E6 (Nest1)E6 (Nest1) CALL CALL (<init>)(<init>)

arg1 = C2,arg1 = C2,

C3 = thisC3 = this

E7 (CloseNest1)E7 (CloseNest1) CALL (close)CALL (close) this = C3this = C3

E8 (Nest2)E8 (Nest2) CALL CALL (<init>(<init>

arg1 = C3,arg1 = C3,

C4 = thisC4 = this

E9 (CloseNest2)E9 (CloseNest2) CALL (close)CALL (close) this = C4this = C4


Catching ErrorsCatching Errors

E1 (Create) -- E1 (Create) -- TRIGGERTRIGGER ALLOC (Error)ALLOC (Error) C1 = newC1 = new

E2 (Throw)E2 (Throw) THROWTHROW throw = C1throw = C1

E3 (Catch)E3 (Catch) CATCHCATCH catch = C1catch = C1


Web Crawler LibraryWeb Crawler Library

E1 (Begin) E1 (Begin) T T

CALL (beginProcessing)CALL (beginProcessing) C1 = arg1C1 = arg1

E2 (Open)E2 (Open) RETURN RETURN (openConnection)(openConnection) this = C1this = C1

E3 (Save)E3 (Save) CALL (saveHtml)CALL (saveHtml) this = C1this = C1

E4 (File)E4 (File) CALL (getHtmlFile)CALL (getHtmlFile) this = C1this = C1

E5 E5 (Header)(Header) CALL (saveHeader)CALL (saveHeader) this = C1this = C1

E6 (Links)E6 (Links) CALL (saveLinks)CALL (saveLinks) this = C1this = C1

E7 E7 (Redirect)(Redirect)

CALL CALL (setRedirectHtml)(setRedirectHtml)

this = C1this = C1

E8 (NoteErr)E8 (NoteErr) CALL (setError)CALL (setError) this = C1this = C1

E9 (Text)E9 (Text) CALL (processText)CALL (processText) this = C1this = C1

E10 E10 (TextBrk)(TextBrk)

CALL CALL (processTextBreak)(processTextBreak)

this = C1this = C1

E11 (Finish)E11 (Finish) CALL CALL (endProcessing)(endProcessing)

this = C1this = C1


Nested LocksNested Locks

E0 (Alloc) -- TRIGGERE0 (Alloc) -- TRIGGER ALLOC (Object)ALLOC (Object) C1 = newC1 = new

E1 (Lock_X)E1 (Lock_X) LOCKLOCK lock = C1lock = C1

E2 (Unlock_X)E2 (Unlock_X) UNLOCKUNLOCK lock = C1lock = C1

E3 (Lock_Y)E3 (Lock_Y) LOCKLOCK C2 = newC2 = new

E4 (Unlock_Y)E4 (Unlock_Y) UNLOCKUNLOCK lock = C2lock = C2


Events & ParametersEvents & Parameters CALL (caller this, argCALL (caller this, argii, calling this), calling this) RETURN (this, return value)RETURN (this, return value) ENTRY (this, argENTRY (this, argii)) FIELD (this) [set to int, null, nonnull]FIELD (this) [set to int, null, nonnull] ALLOC (new object)ALLOC (new object) CATCH (catch object)CATCH (catch object) THROW (throw object)THROW (throw object) LOCK (lock object)LOCK (lock object) UNLOCK (lock object)UNLOCK (lock object)


Why Event-Based Why Event-Based SpecificationSpecification

ESP and others use code patternsESP and others use code patterns These are closer to programsThese are closer to programs And hence easier to understandAnd hence easier to understand

However they are hard to generalizeHowever they are hard to generalize Iterator can use nextElement or nextIterator can use nextElement or next Nested opens and alternativesNested opens and alternatives Xml writer alternativesXml writer alternatives

Events and automata generalizeEvents and automata generalize Easy to define abstract patternsEasy to define abstract patterns

Still understandable by programmersStill understandable by programmers


Finding All InstancesFinding All Instances Done using flow analysisDone using flow analysis

Of the program and its librariesOf the program and its libraries Handling all specifications at onceHandling all specifications at once

Each trigger event yields a sourceEach trigger event yields a source We determine where this source can flowWe determine where this source can flow This determines which events are relevantThis determines which events are relevant

To this particular instanceTo this particular instance

But its not that easyBut its not that easy Multiple-parameter eventsMultiple-parameter events Accurate flow and type analysis requiredAccurate flow and type analysis required


ExampleExampleVector<A> v = …Vector<A> v = …

Iterator it = v.iterator();Iterator it = v.iterator();

while (it.hasNext()) {while (it.hasNext()) {

A x = it.next();A x = it.next();

……

}}

……

for (it = v.iterator();for (it = v.iterator();

it.hasNext(); ) {it.hasNext(); ) {

A y = it.next();A y = it.next();

……

}}

Trigger Source

Trigger Source


Flow AnalysisFlow Analysis Identify sourcesIdentify sources

From trigger events From trigger events Tracking sources and where they Tracking sources and where they

flowflow Through symbolic executionThrough symbolic execution

Result: Determine at each locationResult: Determine at each location What sources are usedWhat sources are used

This lets us check event parametersThis lets us check event parameters Trigger source used on call => eventTrigger source used on call => event


Flow Analysis GoalsFlow Analysis Goals Complete analysisComplete analysis

Ensure we track all possible uses a Ensure we track all possible uses a sourcesource

Must include libraries as well as Must include libraries as well as user codeuser code

Accurate analysisAccurate analysis Must know types for virtual callsMust know types for virtual calls Must understand full Java semanticsMust understand full Java semantics Must handle all methods (including Must handle all methods (including

native, etc.)native, etc.)


Flow Analysis TechniquesFlow Analysis Techniques Done at the byte code levelDone at the byte code level

Tracking types and valuesTracking types and values Through symbolic executionThrough symbolic execution

Full Interprocedural flow analysisFull Interprocedural flow analysis Using a work queue approachUsing a work queue approach Of user code and librariesOf user code and libraries Handling all the complexities of JavaHandling all the complexities of Java

Selectively context sensitiveSelectively context sensitive Flow sensitive, not path sensitiveFlow sensitive, not path sensitive

Tradeoff accuracy and speedTradeoff accuracy and speed Accuracy where important, speed Accuracy where important, speed

otherwiseotherwise


Flow Analysis IssuesFlow Analysis Issues Speed versus accuracySpeed versus accuracy

Start with the minimum possibleStart with the minimum possible Add more information to get needed accuracyAdd more information to get needed accuracy

What to trackWhat to track Trigger sources; all other sourcesTrigger sources; all other sources

Java Issues that aroseJava Issues that arose Static initializersStatic initializers ConstructorsConstructors Native methodsNative methods ReflectionReflection CallbacksCallbacks Data structuresData structures ExceptionsExceptions


What to Track: SourcesWhat to Track: Sources Local SourcesLocal Sources

Anything generated via a new operatorAnything generated via a new operator Track values stored in fields of the Track values stored in fields of the

sourcesource Array SourcesArray Sources

Created by new array operators Created by new array operators Track values stored in the arrayTrack values stored in the array

Fixed SourcesFixed Sources Results from native methods, built-in Results from native methods, built-in

valuesvalues Can be mutable (changed on a cast)Can be mutable (changed on a cast)


SourcesSources Model SourcesModel Sources

Generated by trigger eventsGenerated by trigger events One-to-one association with One-to-one association with

instancesinstances Field SourcesField Sources

Track the values of fieldsTrack the values of fields Only for fields used in specificationsOnly for fields used in specifications Determine where the fields are usedDetermine where the fields are used

Others Others Privacy, …Privacy, …


ValuesValues Flow analysis deals with valuesFlow analysis deals with values

These are sets of sourcesThese are sets of sources Associated with each field, local, Associated with each field, local,

stack, …stack, … Value contains additional Value contains additional

informationinformation Data type (for type analysis)Data type (for type analysis) CanBe or MustBe NULL flagsCanBe or MustBe NULL flags Integer value range (or indefinite)Integer value range (or indefinite)

Operations applied symbolicallyOperations applied symbolically


Static InitializersStatic Initializers ProblemProblem

Called implicitly at first useCalled implicitly at first use Must return before class can be usedMust return before class can be used

Accurate field analysis requires thisAccurate field analysis requires this But it can call methods of the classBut it can call methods of the class Some classes initialized by JVMSome classes initialized by JVM

SolutionSolution Track whether initializer has been startedTrack whether initializer has been started Add some system classes by defaultAdd some system classes by default Don’t process methods before startedDon’t process methods before started


ConstructorsConstructors ProblemProblem

Most methods assume constructor doneMost methods assume constructor done Accurate field analysis requires thisAccurate field analysis requires this But constructors can be quite complexBut constructors can be quite complex

SolutionSolution Track current set of constructors we Track current set of constructors we

are inare in Only process method if Only process method if

We have constructed an object of this class We have constructed an object of this class OROR

We are called from within the constructorWe are called from within the constructor


Native & Reflexive Native & Reflexive MethodsMethods

Problem Problem These are hidden from static analysisThese are hidden from static analysis

Solution 1: Default handlingSolution 1: Default handling Use a fixed source of return typeUse a fixed source of return type Use mutable sources where Use mutable sources where

appropriateappropriate Solution 2: Internal Special Solution 2: Internal Special

handlinghandling arraycopy : copy array valuesarraycopy : copy array values


Native & Reflexive Native & Reflexive MethodsMethods

Solution 3: Resource-based returnSolution 3: Resource-based return User specifies return type in resource fileUser specifies return type in resource file Can be specified as mutableCan be specified as mutable On a function basisOn a function basis On a call-site basisOn a call-site basis

Solution 4: Method substitutionSolution 4: Method substitution Resource file can specify alternative Resource file can specify alternative

methodmethod Thread.start => Thread.runThread.start => Thread.run AccessController.doPrivileged => runAccessController.doPrivileged => run


Native and Reflexive Native and Reflexive MethodsMethods

Solution 5: IgnoreSolution 5: Ignore Resource file can specify calls to ignoreResource file can specify calls to ignore Most calls to swing, awt, … are black Most calls to swing, awt, … are black

boxesboxes Can be done by method, class or packageCan be done by method, class or package

With exceptionsWith exceptions Solution 6: User SubstitutionSolution 6: User Substitution

User can provide alternative dummy User can provide alternative dummy methodmethod

Use it as the replacement methodUse it as the replacement method CCoomplex uses of reflectionmplex uses of reflection


CallbacksCallbacks ProblemProblem

Some callbacks are hidden in native codeSome callbacks are hidden in native code Callbacks need to have proper argumentsCallbacks need to have proper arguments

For accurate analysisFor accurate analysis Lots of user code is through callbacksLots of user code is through callbacks

SolutionSolution Note callbacks in resource fileNote callbacks in resource file

Associate callback method with registrationAssociate callback method with registration Provide calling sequence as wellProvide calling sequence as well

Simulate callbacks with proper argumentsSimulate callbacks with proper arguments Automatically during analysisAutomatically during analysis


Data StructuresData Structures ProblemProblem

Maps, collections are hard to analyzeMaps, collections are hard to analyze Expensive and inaccurate to look at Expensive and inaccurate to look at

codecode SolutionSolution

Introduce prototype sourcesIntroduce prototype sources With procedural models of methodsWith procedural models of methods

Simulate what the methods do in the sourceSimulate what the methods do in the source Don’t use the method code per seDon’t use the method code per se

Extend to iterators, etc. based on Extend to iterators, etc. based on prototypesprototypes


Prototype MapPrototype Map Tracks the contents of the mapTracks the contents of the map

Can track selective key-value pairsCan track selective key-value pairs Tracks empty, non-empty, eitherTracks empty, non-empty, either

Handles all the map operationsHandles all the map operations Updating internal contentsUpdating internal contents Returning appropriate valuesReturning appropriate values

Returns prototype iteratorsReturns prototype iterators That are aware of prototype That are aware of prototype

contentscontents


PrototypesPrototypes Provide more accurate analysisProvide more accurate analysis

Know the type of items stored in tableKnow the type of items stored in table Avoid merging of multiple tablesAvoid merging of multiple tables Know when tables are null and notKnow when tables are null and not

Provide more efficient analysisProvide more efficient analysis Speed up of 30%Speed up of 30%

Are relatively easy to implementAre relatively easy to implement Collections: < 900 lines of sourceCollections: < 900 lines of source Maps: < 500 lines of sourceMaps: < 500 lines of source


ExceptionsExceptions ProblemProblem

Normal exceptions are easy to Normal exceptions are easy to handlehandle

What to do with hidden exceptionsWhat to do with hidden exceptions catch (Throwable …)catch (Throwable …) Synchronized regionsSynchronized regions

SolutionSolution Restrict analysis to explicit Restrict analysis to explicit

exceptionsexceptions Unless explicitly told not toUnless explicitly told not to


Finding One InstanceFinding One Instance Trigger event => Model SourceTrigger event => Model Source

This determines the basic instanceThis determines the basic instance Where model source flowsWhere model source flows

Determines event locationsDetermines event locations Based on event typeBased on event type Based on event parametersBased on event parameters


ExampleExample E1 is the triggerE1 is the trigger

Provides a model Provides a model source Msource M

E2 occurs E2 occurs wheneverwhenever M flows to a call M flows to a call

to to Iterator.hasNextIterator.hasNext

E3, E4, E5 E3, E4, E5 similarlysimilarly

E1 (New) -- E1 (New) -- TRIGGERTRIGGER

RETURN(iteratRETURN(iterator)or)

C1 = C1 = resultresult

E2 E2 (HasNext)(HasNext)

CALL CALL (hasNext)(hasNext)

this = this = C1C1

E3 (Next)E3 (Next) CALL (next)CALL (next) this = this = C1C1

E4 E4 (HasMore)(HasMore)

CALL CALL (hasMoreElem(hasMoreElements)ents)

this = this = C1C1

E5 E5 (NextElt)(NextElt)

Call(nextElemeCall(nextElement)nt)

this = this = C1C1


Multi-Parameter Multi-Parameter SpecificationsSpecifications

Find all possible instances (statically)Find all possible instances (statically) Start with model source for triggerStart with model source for trigger Find all locations for next NEW eventFind all locations for next NEW event

Based on flow of the model sourceBased on flow of the model source Build a new instance for the source Build a new instance for the source

pairpair Continue to handle additional NEW Continue to handle additional NEW

sourcessources Note that we have to consider all setsNote that we have to consider all sets

And not just complete setsAnd not just complete sets


ExampleExample E1 is the triggerE1 is the trigger

Model source MModel source M Writer Writer

constructor callconstructor call With M as arg1With M as arg1 Yields new source Yields new source

M1M1 Instance <M,M1>Instance <M,M1>

If additional call If additional call With M1 as arg1With M1 as arg1 Build new Build new

instanceinstance

E1 (Create)E1 (Create) ALLOC ALLOC (FileWriter)(FileWriter) C1 = newC1 = new

E2 (Open)E2 (Open) RETURN RETURN (<init>)(<init>) this = C1this = C1


E4 (Nest)E4 (Nest) CALL (<init>)CALL (<init>)arg1 = arg1 = C1,C1,

C2 = thisC2 = this

E5 E5 (CloseNext)(CloseNext) CALL (close)CALL (close) this = C2this = C2E6 (Nest1)E6 (Nest1) CALL (<init>)CALL (<init>)

arg1 = arg1 = C2,C2,

C3 = thisC3 = this

E7 E7 (CloseNest1)(CloseNest1) CALL (close)CALL (close) this = C3this = C3

E8 (Nest2)E8 (Nest2) CALL (<init>CALL (<init>arg1 = arg1 = C3,C3,

C4 = thisC4 = this

E9 E9 (CloseNest2)(CloseNest2) CALL (close)CALL (close) this = C4this = C4


Where Are WeWhere Are We We have We have

Specified how components should be Specified how components should be usedused

Using parameterized automataUsing parameterized automata Found all instances of each Found all instances of each

specificationspecification Using detailed flow analysisUsing detailed flow analysis

Next we need to Next we need to Check each instanceCheck each instance

By creating a model programBy creating a model program And looking at all its possible executionsAnd looking at all its possible executions


Checking an InstanceChecking an Instance Build an abstract program for each Build an abstract program for each

instanceinstance Using flow-sensitive analysisUsing flow-sensitive analysis

Abstract program organized into routinesAbstract program organized into routines Abstract program generates event Abstract program generates event

sequencessequences Some nodes output eventsSome nodes output events Determine all event sequences that can be Determine all event sequences that can be

generatedgenerated Ensure that they are all valid wrt Ensure that they are all valid wrt

specificationspecification


Abstract ProgramsAbstract Programs Methods represented by automataMethods represented by automata

Each defined as a directed graphsEach defined as a directed graphs Nodes of the graph represent actionsNodes of the graph represent actions Arcs represent nondeterministic Arcs represent nondeterministic

traversaltraversal Control flow embedded in nodesControl flow embedded in nodes

Calls, asynchronous callsCalls, asynchronous calls Actions can do tests (on variables, Actions can do tests (on variables,

returns)returns) Actions can dead-end Actions can dead-end

If is represented as two test nodesIf is represented as two test nodes


Sample ProgramSample Program


Sample ConditionalSample Conditional


Abstract Program Abstract Program ActionsActions

Enter a routineEnter a routine Exit a routine Exit a routine Call a routineCall a routine Generate a particular eventGenerate a particular event Set a variable to a given valueSet a variable to a given value

Correspond to program variablesCorrespond to program variables Set the return value of the routineSet the return value of the routine Test a variable or return value for a valueTest a variable or return value for a value Exit (call to System.exit)Exit (call to System.exit) Asynchronous call of a routineAsynchronous call of a routine Begin synchronized regionBegin synchronized region End synchronized regionEnd synchronized region (Wait, Notify) events(Wait, Notify) events


Abstract Program Abstract Program VariablesVariables

Which variables are used in the Which variables are used in the programprogram Can be given as part of the specificationCan be given as part of the specification

Otherwise determined automaticallyOtherwise determined automatically Using a separate cursory flow analysisUsing a separate cursory flow analysis Determine which fields directly affect event Determine which fields directly affect event

generation in the abstract programgeneration in the abstract program Conditional using field branches around eventConditional using field branches around event

This is done before building the programThis is done before building the program


Simplifying Abstract Simplifying Abstract ProgramsPrograms

Simplification essential for fast checkingSimplification essential for fast checking Eliminate routines obviously not usedEliminate routines obviously not used

Through a quick transitive closure checkThrough a quick transitive closure check Then apply FSA minimization techniquesThen apply FSA minimization techniques

Throw away nodes with no effectsThrow away nodes with no effects Combine nodes where possibleCombine nodes where possible

No effectsNo effects If no thread starts, then all thread operationsIf no thread starts, then all thread operations If no conditionals for a variable (return), no setsIf no conditionals for a variable (return), no sets Conditional without internal nodesConditional without internal nodes Enter-exit only for a routineEnter-exit only for a routine Call of empty routineCall of empty routine


Checking the Abstract Checking the Abstract ProgramProgram

Find all possible event sequencesFind all possible event sequences Compute all possible runs of the Compute all possible runs of the

programprogram Determining what state each run leaves the Determining what state each run leaves the

specification automata inspecification automata in State = automata state + variable valuesState = automata state + variable values For each routine and start stateFor each routine and start state

Determine the possible states at each nodeDetermine the possible states at each node Determining the set of final statesDetermining the set of final states

This can then be applied recursively This can then be applied recursively Context-free model checkingContext-free model checking


Checking Threaded Checking Threaded ProgramsPrograms

Identify each potential thread Identify each potential thread (asynch)(asynch) Build a single automata for that threadBuild a single automata for that thread

By inlining the calls of the various routinesBy inlining the calls of the various routines By merging nested calls beyond a levelBy merging nested calls beyond a level

Then extend the state for checking Then extend the state for checking To include all thread statesTo include all thread states But limit the number of threads of But limit the number of threads of

each typeeach type


Finding an Example RunFinding an Example Run Once we know a final stateOnce we know a final state

We want a concrete execution We want a concrete execution sequencesequence

Done as a breadth-first searchDone as a breadth-first search Over abstract program executionOver abstract program execution Find a shortest executionFind a shortest execution May give up if too costlyMay give up if too costly


Interactive Result ViewerInteractive Result Viewer


ExperienceExperience Checking CHET on CLIMEChecking CHET on CLIME

521 tests, 21 errors detected (789/29)521 tests, 21 errors detected (789/29) CoverageCoverage

Manually verify all instances identifiedManually verify all instances identified CorrectnessCorrectness

Check all errors, ensure validCheck all errors, ensure valid Spot check othersSpot check others Check known failing casesCheck known failing cases

False PositivesFalse Positives About 1/3 of errors flagged are false positivesAbout 1/3 of errors flagged are false positives

System.exitSystem.exit Generally due to erroneous control flow (exceptions)Generally due to erroneous control flow (exceptions) Much less frequently due to overestimation of flowsMuch less frequently due to overestimation of flows


Experience -- TimingsExperience -- TimingsSystem LOC #BC Proj #BC flow time # Test # Errors Avg Test Max Test Total Time

Onsets 2669 137236 6210 41.47 12 2 7.8 55 01:28.6

Crawler 3562 148510 5502 50.33 32 10 10.2 76 01:27.4

Pinball 11266 380673 65541 173.76 57 11 94.3 971 03:45.6

Freecs 20570 228163 50567 109.77 68 2 10.7 452 03:05.6

Taiga 51945 320453 49134 485.62 197 7 1367.8 257964 14:43.6

Egothor 54317 744304 255770 545.537 819 178 3.9 253 22:13.2

Clime 67573 580707 124925 862.36 789 29 17.2 2140 24:16.2

Jalopy 94636 639310 348843 1697.79 36 9 18.5 222 31:32.1

Openjms 95470 468754 34951 584.79 55 46 75.1 1244 11:16.3


For More InformationFor More Information Steven Reiss Steven Reiss

[email protected]@cs.brown.edu Software, papers, etcSoftware, papers, etc

http://www.cs.brown.edu/people/sprhttp://www.cs.brown.edu/people/spr


Questions / CommentsQuestions / Comments

october 5, 2005 chet 1 efficient checking of component specifications in java systems steven p....

Documents

class libraries java

real java programs

application libraries

everyday programs

precise slide

instances of component

validity slide

java systems steven