model checking java programs (java pathfinder)
TRANSCRIPT
![Page 1: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/1.jpg)
Model Checking Java Programs (Java PathFinder)
Slides partially compiled from the NASA JavaPathFinder project and E. Clarke’s course material
![Page 2: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/2.jpg)
Java PathFinder
JPF is an explicit state software model checker for Java bytecode
JPF is a Java virtual machine that executes your program not just once (like a normal VM), but theoretically in all possible ways, checking for property violations like deadlocks or unhandled exceptions along all potential execution paths.
![Page 3: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/3.jpg)
Symbolic Model Checking
Program
Claim
Analysis
Engine
SAT
Solver
UNSAT
(no counterexample found)
SAT
(counterexample exists)
CNF
![Page 4: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/4.jpg)
Explicit State Model Checking
The program is indeed executingjpf <your class> <parameters>
Very similar to “java <your class> <parameters>”
Execute in a way that all possible scenarios are explored
Thread interleavingUndeterministic values (random values)
Concrete input is providedA state is indeed a concrete state, consisting of
Concrete values in heap/stack memory
![Page 5: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/5.jpg)
JPF Status
developed at the Robust Software Engineering Group at NASA Ames Research Centercurrently in it’s fourth development cycle
v1: Spin/Promela translator - 1999v2: backtrackable, state matching JVM - 2000v3: extension infrastructure (listeners, MJI) - 2004v4: symbolic execution, choice generators - 4Q 2005
open sourced since 04/2005 under NOSA 1.3 license:http://javapathfinder.sourceforge.netFirst NASA-developed system hosted on public site before
![Page 6: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/6.jpg)
An Example
![Page 7: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/7.jpg)
An Example (cont.)
One execution corresponds to one path.
![Page 8: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/8.jpg)
![Page 9: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/9.jpg)
![Page 10: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/10.jpg)
JPF explores multiple possible executions GIVEN THE SAME CONCRETE INPUT
![Page 11: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/11.jpg)
Another Example
![Page 12: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/12.jpg)
![Page 13: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/13.jpg)
![Page 14: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/14.jpg)
Two Essential Capabilities
BacktrackingMeans that JPF can restore previous execution states, to see if there are unexplored choices left.
While this can theoretically be achieved by re-executing the program from the beginning, backtracking is a much more efficient mechanism if state storage is optimized.
State matchingJPF checks every new state if it already has seen an equal one, in which case there is no use to continue along the current execution path, and JPF can backtrack to the nearest non-explored non-deterministic choice
Heap and thread-stack snapshots.
![Page 15: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/15.jpg)
The Challenge
![Page 16: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/16.jpg)
The Challenge (cont.)
State Explosion!!
![Page 17: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/17.jpg)
JPF’s Approach
Configurable search strategyDirecting the search so that defects can be found quicker
A debugging tool instead of a “proof” system.
User can easily develop his/her own strategy
Host VM Execution Delegate execution to the underlying host VM (no state tracking).
Reducing state storageState collapsing
Premise: only a tiny part of the state is changed upon each transaction. (e.g. a single stack frame)Dividing a state into components, use hashtable to index a specific value for a component.
![Page 18: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/18.jpg)
Solution – State Collapsing
![Page 19: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/19.jpg)
Solution – State Reduction
Orthogonal (our focus)
State Abstraction Partial Order Reduction
![Page 20: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/20.jpg)
Abstraction
Eliminate details irrelevant to the property
Obtain simple finite models sufficient to verify the property
Disadvantage Loss of Precision: False positives/negatives
![Page 21: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/21.jpg)
Data Abstraction
h h hh h
Abstraction Function h : from S to S’
S
S’
![Page 22: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/22.jpg)
Data Abstraction Example
Abstraction proceeds component-wise, where variables are components
x:int Even
Odd…, -3, -1, 1, 3, …
…, -2, 0, 2, 4, …
1, 2, 3, …
…, -3, -2, -1
0
Pos
Neg
Zeroy:int
![Page 23: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/23.jpg)
How do we Abstract Behaviors?
Abstract domain AAbstract concrete values to those in A
Then compute transitions in the abstract domain
![Page 24: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/24.jpg)
Data Type Abstraction
int x = 0;if (x == 0) x = x + 1;
Abstract Data domain
(n<0) : NEG(n==0): ZERO(n>0) : POS
Signs
NEG POSZERO
int
Code
Signs x = ZERO;if (Signs.eq(x,ZERO)) x = Signs.add(x,POS);
![Page 25: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/25.jpg)
Existential/Universal Abstractions
ExistentialMake a transition from an abstract state if at least one corresponding concrete state has the transition.Abstract model M’ simulates concrete model M
UniversalMake a transition from an abstract state if all the corresponding concrete states have the transition.
![Page 26: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/26.jpg)
Existential Abstraction (Over-approximation)
I
I
h
S
S’
![Page 27: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/27.jpg)
Universal Abstraction (Under-Approximation)
I
I
h
S
S’
![Page 28: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/28.jpg)
Guarantees from Abstraction
Assume M’ is an abstraction of M
Strong Preservation: P holds in M’ iff P holds in M
Weak Preservation:P holds in M’ implies P holds in M
![Page 29: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/29.jpg)
Guarantees from Exist. Abstraction
Preservation TheoremM’ ⊭ φ M ⊭ φ
M’ ⊭ φ : counterexample may be spurious
Converse does not holdM’ ⊭ φ M ⊭ φ
Let φ be a hold-for-all-paths property M’ existentially abstracts M
M’
M
![Page 30: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/30.jpg)
Guarantees from Univ. Abstraction
Preservation TheoremM’ ⊭ φ M ⊭ φ
Converse does not holdM ⊭ φ M’ ⊭ φ
Let φ be an existential-quantified property and M simulates M’
![Page 31: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/31.jpg)
Spurious counterexample in Over-approximation
I
I
Deadend states
Bad States
Failure State
f
![Page 32: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/32.jpg)
Refinement
Problem: Deadend and Bad States are in the same abstract state. Solution: Refine abstraction function.The sets of Deadend and Bad states should be separated into different abstract states.
![Page 33: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/33.jpg)
Refinement
h’
Refinement : h’
![Page 34: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/34.jpg)
Automated Abstraction/Refinement
Good abstractions are hard to obtainAutomate both Abstraction and Refinement processes
Counterexample-Guided AR (CEGAR)Build an abstract model M’ Model check property P, M’ P?⊨If M’ P, then M P by Preservation Theorem⊨ ⊨Otherwise, check if Counterexample (CE) is spuriousRefine abstract state space using CE analysis results Repeat
![Page 35: Model Checking Java Programs (Java PathFinder)](https://reader033.vdocument.in/reader033/viewer/2022051404/584cceff1a28ab85738f86aa/html5/thumbnails/35.jpg)
Counterexample-Guided Abstraction-Refinement (CEGAR)
Check Counterexample
Obtain Refinement Cue
Model CheckBuild New Abstract Model
M’M
No Bug
Pass
Fail
BugReal CESpurious CE