October 5, 2005 CHET 1
Efficient Checking of Efficient Checking of Component Component
SpecificationsSpecifications in Java Systems in Java Systems
Steven P. ReissSteven P. Reiss
Brown UniversityBrown University
April 19, 2023 CHET 2
Our GoalOur Goal To Improve ProgrammingTo Improve Programming
More reliableMore reliable More secureMore secure More robustMore robust More understandableMore understandable EasierEasier
To Deal With Real SystemsTo Deal With Real Systems Not yesterday’sNot yesterday’s Some today’sSome today’s Worrying about tomorrow’sWorrying about tomorrow’s
April 19, 2023 CHET 3
Model CheckingModel Checking Is the next great thing for Is the next great thing for
programmersprogrammers Will find all our bugs automaticallyWill find all our bugs automatically Will fix all our problemsWill fix all our problems
But with minor exceptions it is not usedBut with minor exceptions it is not used Not on an everyday basisNot on an everyday basis Not for everyday programsNot for everyday programs Not by most programmersNot by most programmers
What is needed hereWhat is needed here Must be “automatic” -- no effort requiredMust be “automatic” -- no effort required Must be fast -- “compilation speed”Must be fast -- “compilation speed” Must be helpful -- accurate, preciseMust be helpful -- accurate, precise
April 19, 2023 CHET 4
The Problem of The Problem of ComponentsComponents
Java programs are built on class librariesJava programs are built on class libraries Standard java librariesStandard java libraries Open source librariesOpen source libraries Libraries created for an applicationLibraries created for an application
Creators know how they should be usedCreators know how they should be used Each has its own pattern of usageEach has its own pattern of usage Typically fail if not used correctlyTypically fail if not used correctly
Make sure they are used correctlyMake sure they are used correctly Throughout the programThroughout the program Each instanceEach instance StaticallyStatically With “real” Java programsWith “real” Java programs
April 19, 2023 CHET 5
The SolutionThe Solution
Create a ComponentSpecification Language
Find Instances ofComponent Usage
Check Each Instancefor Validity
April 19, 2023 CHET 6
Specification LanguageSpecification Language Define how components should be Define how components should be
usedused In a way that matches their useIn a way that matches their use Once for all potential instancesOnce for all potential instances
So that it can be done by programmersSo that it can be done by programmers And the specification can be understoodAnd the specification can be understood
SolutionSolution Use finite automata Use finite automata
Over parameterized program eventsOver parameterized program events Matches call sequences, variable usage, etc.Matches call sequences, variable usage, etc.
April 19, 2023 CHET 7
Specification InstancesSpecification Instances Components are used multiple timesComponents are used multiple times
List, Iterator, XmlWriter, …List, Iterator, XmlWriter, … Need to handle each use separatelyNeed to handle each use separately Uses must be found automaticallyUses must be found automatically
As specific as possible (statically)As specific as possible (statically) SolutionSolution
Using flow analysis over the class filesUsing flow analysis over the class files Trigger events define instancesTrigger events define instances Other events used in particular Other events used in particular
instancesinstances
April 19, 2023 CHET 8
Checking SpecificationsChecking Specifications Each instance must be checkedEach instance must be checked
IndependentlyIndependently To ensure the specification is metTo ensure the specification is met
SolutionSolution Create a simple model program per Create a simple model program per
instanceinstance Check if model program meets Check if model program meets
specificationspecification Using model checking techniquesUsing model checking techniques
Do all this efficientlyDo all this efficiently
April 19, 2023 CHET 9
Keeping this PracticalKeeping this Practical Most components are used through callsMost components are used through calls
Control flow determines call sequencesControl flow determines call sequences Data flow determines which callsData flow determines which calls
Most component usage is single threadedMost component usage is single threaded Can often ignore thread interactionsCan often ignore thread interactions
This is simpler than the general problemThis is simpler than the general problem Need to track fewer variablesNeed to track fewer variables Need to worry less about variable valuesNeed to worry less about variable values Need to worry less about interweavingNeed to worry less about interweaving
April 19, 2023 CHET 10
CHET OverviewCHET Overview
Specifications ApplicationFlow
Analysis
Instances
Abstract ProgramBuilder
ProgramChecker
Report
April 19, 2023 CHET 11
Iterator UsageIterator Usage
E1 (New) -- TRIGGERE1 (New) -- TRIGGER RETURN(iterator)RETURN(iterator) C1 = resultC1 = result
E2 (HasNext)E2 (HasNext) CALL (hasNext)CALL (hasNext) this = C1this = C1
E3 (Next)E3 (Next) CALL (next)CALL (next) this = C1this = C1
E4 (HasMore)E4 (HasMore) CALL CALL (hasMoreElements)(hasMoreElements) this = C1this = C1
E5 (NextElt)E5 (NextElt) Call(nextElement)Call(nextElement) this = C1this = C1
April 19, 2023 CHET 12
Comodification CheckingComodification Checking
E1 (New) -- TRIGGERE1 (New) -- TRIGGER ALLOC (Vector)ALLOC (Vector) C1 = resultC1 = result
E2 (Add)E2 (Add) CALL (add)CALL (add) this = C1this = C1
E3 (Add1)E3 (Add1) CALL (addElement)CALL (addElement) this = C1this = C1
E4 (Add2)E4 (Add2) CALL (addAll)CALL (addAll) this = C1this = C1
E5 (Iter)E5 (Iter) RETURN (iterator)RETURN (iterator) this = C1, C2 = returnthis = C1, C2 = return
E6 (Next)E6 (Next) CALL (next)CALL (next) this = C2this = C2
E7 (Next1)E7 (Next1) CALL (nextElement)CALL (nextElement) this = C2this = C2
April 19, 2023 CHET 13
Xml Writer UsageXml Writer Usage
E0 (New) -- TRIGGERE0 (New) -- TRIGGER ALLOC (XmlWriter)ALLOC (XmlWriter) C1 = newC1 = new
E1 (Begin)E1 (Begin) CALL (begin)CALL (begin) this = C1this = C1
E2 (End)E2 (End) CALL (end)CALL (end) this = C1this = C1
E3 (Field)E3 (Field) CALL (field)CALL (field) this = C1this = C1
E4 (Cdata)E4 (Cdata) CALL (cdata)CALL (cdata) this = C1this = C1
E5 (Text)E5 (Text) CALL (text)CALL (text) this = C1this = C1
E6 (Xml)E6 (Xml) CALL (writeXml)CALL (writeXml) this = C1this = C1
E7 (Close)E7 (Close) CALL (close)CALL (close) this = C1this = C1
April 19, 2023 CHET 14
File Open-CloseFile Open-Close
E1 (Create) - E1 (Create) - TT
ALLOC ALLOC (FileWriter)(FileWriter) C1 = newC1 = new
E2 (Open)E2 (Open) RETURN (<init>)RETURN (<init>) this = C1this = C1
E3 (Close)E3 (Close) CALL (close)CALL (close) this = C1this = C1
E4 (Nest)E4 (Nest) CALL (<init>)CALL (<init>)arg1 = arg1 = C1,C1,
C2 = thisC2 = this
E5 E5 (CloseNext)(CloseNext) CALL (close)CALL (close) this = C2this = C2
E6 (Nest1)E6 (Nest1) CALL CALL (<init>)(<init>)
arg1 = C2,arg1 = C2,
C3 = thisC3 = this
E7 (CloseNest1)E7 (CloseNest1) CALL (close)CALL (close) this = C3this = C3
E8 (Nest2)E8 (Nest2) CALL CALL (<init>(<init>
arg1 = C3,arg1 = C3,
C4 = thisC4 = this
E9 (CloseNest2)E9 (CloseNest2) CALL (close)CALL (close) this = C4this = C4
April 19, 2023 CHET 15
Catching ErrorsCatching Errors
E1 (Create) -- E1 (Create) -- TRIGGERTRIGGER ALLOC (Error)ALLOC (Error) C1 = newC1 = new
E2 (Throw)E2 (Throw) THROWTHROW throw = C1throw = C1
E3 (Catch)E3 (Catch) CATCHCATCH catch = C1catch = C1
April 19, 2023 CHET 16
Web Crawler LibraryWeb Crawler Library
E1 (Begin) E1 (Begin) T T
CALL (beginProcessing)CALL (beginProcessing) C1 = arg1C1 = arg1
E2 (Open)E2 (Open) RETURN RETURN (openConnection)(openConnection) this = C1this = C1
E3 (Save)E3 (Save) CALL (saveHtml)CALL (saveHtml) this = C1this = C1
E4 (File)E4 (File) CALL (getHtmlFile)CALL (getHtmlFile) this = C1this = C1
E5 E5 (Header)(Header) CALL (saveHeader)CALL (saveHeader) this = C1this = C1
E6 (Links)E6 (Links) CALL (saveLinks)CALL (saveLinks) this = C1this = C1
E7 E7 (Redirect)(Redirect)
CALL CALL (setRedirectHtml)(setRedirectHtml)
this = C1this = C1
E8 (NoteErr)E8 (NoteErr) CALL (setError)CALL (setError) this = C1this = C1
E9 (Text)E9 (Text) CALL (processText)CALL (processText) this = C1this = C1
E10 E10 (TextBrk)(TextBrk)
CALL CALL (processTextBreak)(processTextBreak)
this = C1this = C1
E11 (Finish)E11 (Finish) CALL CALL (endProcessing)(endProcessing)
this = C1this = C1
April 19, 2023 CHET 17
Nested LocksNested Locks
E0 (Alloc) -- TRIGGERE0 (Alloc) -- TRIGGER ALLOC (Object)ALLOC (Object) C1 = newC1 = new
E1 (Lock_X)E1 (Lock_X) LOCKLOCK lock = C1lock = C1
E2 (Unlock_X)E2 (Unlock_X) UNLOCKUNLOCK lock = C1lock = C1
E3 (Lock_Y)E3 (Lock_Y) LOCKLOCK C2 = newC2 = new
E4 (Unlock_Y)E4 (Unlock_Y) UNLOCKUNLOCK lock = C2lock = C2
April 19, 2023 CHET 18
Events & ParametersEvents & Parameters CALL (caller this, argCALL (caller this, argii, calling this), calling this) RETURN (this, return value)RETURN (this, return value) ENTRY (this, argENTRY (this, argii)) FIELD (this) [set to int, null, nonnull]FIELD (this) [set to int, null, nonnull] ALLOC (new object)ALLOC (new object) CATCH (catch object)CATCH (catch object) THROW (throw object)THROW (throw object) LOCK (lock object)LOCK (lock object) UNLOCK (lock object)UNLOCK (lock object)
April 19, 2023 CHET 19
Why Event-Based Why Event-Based SpecificationSpecification
ESP and others use code patternsESP and others use code patterns These are closer to programsThese are closer to programs And hence easier to understandAnd hence easier to understand
However they are hard to generalizeHowever they are hard to generalize Iterator can use nextElement or nextIterator can use nextElement or next Nested opens and alternativesNested opens and alternatives Xml writer alternativesXml writer alternatives
Events and automata generalizeEvents and automata generalize Easy to define abstract patternsEasy to define abstract patterns
Still understandable by programmersStill understandable by programmers
April 19, 2023 CHET 20
Finding All InstancesFinding All Instances Done using flow analysisDone using flow analysis
Of the program and its librariesOf the program and its libraries Handling all specifications at onceHandling all specifications at once
Each trigger event yields a sourceEach trigger event yields a source We determine where this source can flowWe determine where this source can flow This determines which events are relevantThis determines which events are relevant
To this particular instanceTo this particular instance
But its not that easyBut its not that easy Multiple-parameter eventsMultiple-parameter events Accurate flow and type analysis requiredAccurate flow and type analysis required
April 19, 2023 CHET 21
ExampleExampleVector<A> v = …Vector<A> v = …
Iterator it = v.iterator();Iterator it = v.iterator();
while (it.hasNext()) {while (it.hasNext()) {
A x = it.next();A x = it.next();
……
}}
……
for (it = v.iterator();for (it = v.iterator();
it.hasNext(); ) {it.hasNext(); ) {
A y = it.next();A y = it.next();
……
}}
Trigger Source
Trigger Source
April 19, 2023 CHET 22
Flow AnalysisFlow Analysis Identify sourcesIdentify sources
From trigger events From trigger events Tracking sources and where they Tracking sources and where they
flowflow Through symbolic executionThrough symbolic execution
Result: Determine at each locationResult: Determine at each location What sources are usedWhat sources are used
This lets us check event parametersThis lets us check event parameters Trigger source used on call => eventTrigger source used on call => event
April 19, 2023 CHET 23
Flow Analysis GoalsFlow Analysis Goals Complete analysisComplete analysis
Ensure we track all possible uses a Ensure we track all possible uses a sourcesource
Must include libraries as well as Must include libraries as well as user codeuser code
Accurate analysisAccurate analysis Must know types for virtual callsMust know types for virtual calls Must understand full Java semanticsMust understand full Java semantics Must handle all methods (including Must handle all methods (including
native, etc.)native, etc.)
April 19, 2023 CHET 24
Flow Analysis TechniquesFlow Analysis Techniques Done at the byte code levelDone at the byte code level
Tracking types and valuesTracking types and values Through symbolic executionThrough symbolic execution
Full Interprocedural flow analysisFull Interprocedural flow analysis Using a work queue approachUsing a work queue approach Of user code and librariesOf user code and libraries Handling all the complexities of JavaHandling all the complexities of Java
Selectively context sensitiveSelectively context sensitive Flow sensitive, not path sensitiveFlow sensitive, not path sensitive
Tradeoff accuracy and speedTradeoff accuracy and speed Accuracy where important, speed Accuracy where important, speed
otherwiseotherwise
April 19, 2023 CHET 25
Flow Analysis IssuesFlow Analysis Issues Speed versus accuracySpeed versus accuracy
Start with the minimum possibleStart with the minimum possible Add more information to get needed accuracyAdd more information to get needed accuracy
What to trackWhat to track Trigger sources; all other sourcesTrigger sources; all other sources
Java Issues that aroseJava Issues that arose Static initializersStatic initializers ConstructorsConstructors Native methodsNative methods ReflectionReflection CallbacksCallbacks Data structuresData structures ExceptionsExceptions
April 19, 2023 CHET 26
What to Track: SourcesWhat to Track: Sources Local SourcesLocal Sources
Anything generated via a new operatorAnything generated via a new operator Track values stored in fields of the Track values stored in fields of the
sourcesource Array SourcesArray Sources
Created by new array operators Created by new array operators Track values stored in the arrayTrack values stored in the array
Fixed SourcesFixed Sources Results from native methods, built-in Results from native methods, built-in
valuesvalues Can be mutable (changed on a cast)Can be mutable (changed on a cast)
April 19, 2023 CHET 27
SourcesSources Model SourcesModel Sources
Generated by trigger eventsGenerated by trigger events One-to-one association with One-to-one association with
instancesinstances Field SourcesField Sources
Track the values of fieldsTrack the values of fields Only for fields used in specificationsOnly for fields used in specifications Determine where the fields are usedDetermine where the fields are used
Others Others Privacy, …Privacy, …
April 19, 2023 CHET 28
ValuesValues Flow analysis deals with valuesFlow analysis deals with values
These are sets of sourcesThese are sets of sources Associated with each field, local, Associated with each field, local,
stack, …stack, … Value contains additional Value contains additional
informationinformation Data type (for type analysis)Data type (for type analysis) CanBe or MustBe NULL flagsCanBe or MustBe NULL flags Integer value range (or indefinite)Integer value range (or indefinite)
Operations applied symbolicallyOperations applied symbolically
April 19, 2023 CHET 29
Static InitializersStatic Initializers ProblemProblem
Called implicitly at first useCalled implicitly at first use Must return before class can be usedMust return before class can be used
Accurate field analysis requires thisAccurate field analysis requires this But it can call methods of the classBut it can call methods of the class Some classes initialized by JVMSome classes initialized by JVM
SolutionSolution Track whether initializer has been startedTrack whether initializer has been started Add some system classes by defaultAdd some system classes by default Don’t process methods before startedDon’t process methods before started
April 19, 2023 CHET 30
ConstructorsConstructors ProblemProblem
Most methods assume constructor doneMost methods assume constructor done Accurate field analysis requires thisAccurate field analysis requires this But constructors can be quite complexBut constructors can be quite complex
SolutionSolution Track current set of constructors we Track current set of constructors we
are inare in Only process method if Only process method if
We have constructed an object of this class We have constructed an object of this class OROR
We are called from within the constructorWe are called from within the constructor
April 19, 2023 CHET 31
Native & Reflexive Native & Reflexive MethodsMethods
Problem Problem These are hidden from static analysisThese are hidden from static analysis
Solution 1: Default handlingSolution 1: Default handling Use a fixed source of return typeUse a fixed source of return type Use mutable sources where Use mutable sources where
appropriateappropriate Solution 2: Internal Special Solution 2: Internal Special
handlinghandling arraycopy : copy array valuesarraycopy : copy array values
April 19, 2023 CHET 32
Native & Reflexive Native & Reflexive MethodsMethods
Solution 3: Resource-based returnSolution 3: Resource-based return User specifies return type in resource fileUser specifies return type in resource file Can be specified as mutableCan be specified as mutable On a function basisOn a function basis On a call-site basisOn a call-site basis
Solution 4: Method substitutionSolution 4: Method substitution Resource file can specify alternative Resource file can specify alternative
methodmethod Thread.start => Thread.runThread.start => Thread.run AccessController.doPrivileged => runAccessController.doPrivileged => run
April 19, 2023 CHET 33
Native and Reflexive Native and Reflexive MethodsMethods
Solution 5: IgnoreSolution 5: Ignore Resource file can specify calls to ignoreResource file can specify calls to ignore Most calls to swing, awt, … are black Most calls to swing, awt, … are black
boxesboxes Can be done by method, class or packageCan be done by method, class or package
With exceptionsWith exceptions Solution 6: User SubstitutionSolution 6: User Substitution
User can provide alternative dummy User can provide alternative dummy methodmethod
Use it as the replacement methodUse it as the replacement method CCoomplex uses of reflectionmplex uses of reflection
April 19, 2023 CHET 34
CallbacksCallbacks ProblemProblem
Some callbacks are hidden in native codeSome callbacks are hidden in native code Callbacks need to have proper argumentsCallbacks need to have proper arguments
For accurate analysisFor accurate analysis Lots of user code is through callbacksLots of user code is through callbacks
SolutionSolution Note callbacks in resource fileNote callbacks in resource file
Associate callback method with registrationAssociate callback method with registration Provide calling sequence as wellProvide calling sequence as well
Simulate callbacks with proper argumentsSimulate callbacks with proper arguments Automatically during analysisAutomatically during analysis
April 19, 2023 CHET 35
Data StructuresData Structures ProblemProblem
Maps, collections are hard to analyzeMaps, collections are hard to analyze Expensive and inaccurate to look at Expensive and inaccurate to look at
codecode SolutionSolution
Introduce prototype sourcesIntroduce prototype sources With procedural models of methodsWith procedural models of methods
Simulate what the methods do in the sourceSimulate what the methods do in the source Don’t use the method code per seDon’t use the method code per se
Extend to iterators, etc. based on Extend to iterators, etc. based on prototypesprototypes
April 19, 2023 CHET 36
Prototype MapPrototype Map Tracks the contents of the mapTracks the contents of the map
Can track selective key-value pairsCan track selective key-value pairs Tracks empty, non-empty, eitherTracks empty, non-empty, either
Handles all the map operationsHandles all the map operations Updating internal contentsUpdating internal contents Returning appropriate valuesReturning appropriate values
Returns prototype iteratorsReturns prototype iterators That are aware of prototype That are aware of prototype
contentscontents
April 19, 2023 CHET 37
PrototypesPrototypes Provide more accurate analysisProvide more accurate analysis
Know the type of items stored in tableKnow the type of items stored in table Avoid merging of multiple tablesAvoid merging of multiple tables Know when tables are null and notKnow when tables are null and not
Provide more efficient analysisProvide more efficient analysis Speed up of 30%Speed up of 30%
Are relatively easy to implementAre relatively easy to implement Collections: < 900 lines of sourceCollections: < 900 lines of source Maps: < 500 lines of sourceMaps: < 500 lines of source
April 19, 2023 CHET 38
ExceptionsExceptions ProblemProblem
Normal exceptions are easy to Normal exceptions are easy to handlehandle
What to do with hidden exceptionsWhat to do with hidden exceptions catch (Throwable …)catch (Throwable …) Synchronized regionsSynchronized regions
SolutionSolution Restrict analysis to explicit Restrict analysis to explicit
exceptionsexceptions Unless explicitly told not toUnless explicitly told not to
April 19, 2023 CHET 39
Finding One InstanceFinding One Instance Trigger event => Model SourceTrigger event => Model Source
This determines the basic instanceThis determines the basic instance Where model source flowsWhere model source flows
Determines event locationsDetermines event locations Based on event typeBased on event type Based on event parametersBased on event parameters
April 19, 2023 CHET 40
ExampleExample E1 is the triggerE1 is the trigger
Provides a model Provides a model source Msource M
E2 occurs E2 occurs wheneverwhenever M flows to a call M flows to a call
to to Iterator.hasNextIterator.hasNext
E3, E4, E5 E3, E4, E5 similarlysimilarly
E1 (New) -- E1 (New) -- TRIGGERTRIGGER
RETURN(iteratRETURN(iterator)or)
C1 = C1 = resultresult
E2 E2 (HasNext)(HasNext)
CALL CALL (hasNext)(hasNext)
this = this = C1C1
E3 (Next)E3 (Next) CALL (next)CALL (next) this = this = C1C1
E4 E4 (HasMore)(HasMore)
CALL CALL (hasMoreElem(hasMoreElements)ents)
this = this = C1C1
E5 E5 (NextElt)(NextElt)
Call(nextElemeCall(nextElement)nt)
this = this = C1C1
April 19, 2023 CHET 41
Multi-Parameter Multi-Parameter SpecificationsSpecifications
Find all possible instances (statically)Find all possible instances (statically) Start with model source for triggerStart with model source for trigger Find all locations for next NEW eventFind all locations for next NEW event
Based on flow of the model sourceBased on flow of the model source Build a new instance for the source Build a new instance for the source
pairpair Continue to handle additional NEW Continue to handle additional NEW
sourcessources Note that we have to consider all setsNote that we have to consider all sets
And not just complete setsAnd not just complete sets
April 19, 2023 CHET 42
ExampleExample E1 is the triggerE1 is the trigger
Model source MModel source M Writer Writer
constructor callconstructor call With M as arg1With M as arg1 Yields new source Yields new source
M1M1 Instance <M,M1>Instance <M,M1>
If additional call If additional call With M1 as arg1With M1 as arg1 Build new Build new
instanceinstance
E1 (Create)E1 (Create) ALLOC ALLOC (FileWriter)(FileWriter) C1 = newC1 = new
E2 (Open)E2 (Open) RETURN RETURN (<init>)(<init>) this = C1this = C1
E3 (Close)E3 (Close) CALL (close)CALL (close) this = C1this = C1
E4 (Nest)E4 (Nest) CALL (<init>)CALL (<init>)arg1 = arg1 = C1,C1,
C2 = thisC2 = this
E5 E5 (CloseNext)(CloseNext) CALL (close)CALL (close) this = C2this = C2E6 (Nest1)E6 (Nest1) CALL (<init>)CALL (<init>)
arg1 = arg1 = C2,C2,
C3 = thisC3 = this
E7 E7 (CloseNest1)(CloseNest1) CALL (close)CALL (close) this = C3this = C3
E8 (Nest2)E8 (Nest2) CALL (<init>CALL (<init>arg1 = arg1 = C3,C3,
C4 = thisC4 = this
E9 E9 (CloseNest2)(CloseNest2) CALL (close)CALL (close) this = C4this = C4
April 19, 2023 CHET 43
Where Are WeWhere Are We We have We have
Specified how components should be Specified how components should be usedused
Using parameterized automataUsing parameterized automata Found all instances of each Found all instances of each
specificationspecification Using detailed flow analysisUsing detailed flow analysis
Next we need to Next we need to Check each instanceCheck each instance
By creating a model programBy creating a model program And looking at all its possible executionsAnd looking at all its possible executions
April 19, 2023 CHET 44
Checking an InstanceChecking an Instance Build an abstract program for each Build an abstract program for each
instanceinstance Using flow-sensitive analysisUsing flow-sensitive analysis
Abstract program organized into routinesAbstract program organized into routines Abstract program generates event Abstract program generates event
sequencessequences Some nodes output eventsSome nodes output events Determine all event sequences that can be Determine all event sequences that can be
generatedgenerated Ensure that they are all valid wrt Ensure that they are all valid wrt
specificationspecification
April 19, 2023 CHET 45
Abstract ProgramsAbstract Programs Methods represented by automataMethods represented by automata
Each defined as a directed graphsEach defined as a directed graphs Nodes of the graph represent actionsNodes of the graph represent actions Arcs represent nondeterministic Arcs represent nondeterministic
traversaltraversal Control flow embedded in nodesControl flow embedded in nodes
Calls, asynchronous callsCalls, asynchronous calls Actions can do tests (on variables, Actions can do tests (on variables,
returns)returns) Actions can dead-end Actions can dead-end
If is represented as two test nodesIf is represented as two test nodes
April 19, 2023 CHET 46
Sample ProgramSample Program
April 19, 2023 CHET 47
Sample ConditionalSample Conditional
April 19, 2023 CHET 48
Abstract Program Abstract Program ActionsActions
Enter a routineEnter a routine Exit a routine Exit a routine Call a routineCall a routine Generate a particular eventGenerate a particular event Set a variable to a given valueSet a variable to a given value
Correspond to program variablesCorrespond to program variables Set the return value of the routineSet the return value of the routine Test a variable or return value for a valueTest a variable or return value for a value Exit (call to System.exit)Exit (call to System.exit) Asynchronous call of a routineAsynchronous call of a routine Begin synchronized regionBegin synchronized region End synchronized regionEnd synchronized region (Wait, Notify) events(Wait, Notify) events
April 19, 2023 CHET 49
Abstract Program Abstract Program VariablesVariables
Which variables are used in the Which variables are used in the programprogram Can be given as part of the specificationCan be given as part of the specification
Otherwise determined automaticallyOtherwise determined automatically Using a separate cursory flow analysisUsing a separate cursory flow analysis Determine which fields directly affect event Determine which fields directly affect event
generation in the abstract programgeneration in the abstract program Conditional using field branches around eventConditional using field branches around event
This is done before building the programThis is done before building the program
April 19, 2023 CHET 50
Simplifying Abstract Simplifying Abstract ProgramsPrograms
Simplification essential for fast checkingSimplification essential for fast checking Eliminate routines obviously not usedEliminate routines obviously not used
Through a quick transitive closure checkThrough a quick transitive closure check Then apply FSA minimization techniquesThen apply FSA minimization techniques
Throw away nodes with no effectsThrow away nodes with no effects Combine nodes where possibleCombine nodes where possible
No effectsNo effects If no thread starts, then all thread operationsIf no thread starts, then all thread operations If no conditionals for a variable (return), no setsIf no conditionals for a variable (return), no sets Conditional without internal nodesConditional without internal nodes Enter-exit only for a routineEnter-exit only for a routine Call of empty routineCall of empty routine
April 19, 2023 CHET 51
Checking the Abstract Checking the Abstract ProgramProgram
Find all possible event sequencesFind all possible event sequences Compute all possible runs of the Compute all possible runs of the
programprogram Determining what state each run leaves the Determining what state each run leaves the
specification automata inspecification automata in State = automata state + variable valuesState = automata state + variable values For each routine and start stateFor each routine and start state
Determine the possible states at each nodeDetermine the possible states at each node Determining the set of final statesDetermining the set of final states
This can then be applied recursively This can then be applied recursively Context-free model checkingContext-free model checking
April 19, 2023 CHET 52
Checking Threaded Checking Threaded ProgramsPrograms
Identify each potential thread Identify each potential thread (asynch)(asynch) Build a single automata for that threadBuild a single automata for that thread
By inlining the calls of the various routinesBy inlining the calls of the various routines By merging nested calls beyond a levelBy merging nested calls beyond a level
Then extend the state for checking Then extend the state for checking To include all thread statesTo include all thread states But limit the number of threads of But limit the number of threads of
each typeeach type
April 19, 2023 CHET 53
Finding an Example RunFinding an Example Run Once we know a final stateOnce we know a final state
We want a concrete execution We want a concrete execution sequencesequence
Done as a breadth-first searchDone as a breadth-first search Over abstract program executionOver abstract program execution Find a shortest executionFind a shortest execution May give up if too costlyMay give up if too costly
April 19, 2023 CHET 54
Interactive Result ViewerInteractive Result Viewer
April 19, 2023 CHET 55
ExperienceExperience Checking CHET on CLIMEChecking CHET on CLIME
521 tests, 21 errors detected (789/29)521 tests, 21 errors detected (789/29) CoverageCoverage
Manually verify all instances identifiedManually verify all instances identified CorrectnessCorrectness
Check all errors, ensure validCheck all errors, ensure valid Spot check othersSpot check others Check known failing casesCheck known failing cases
False PositivesFalse Positives About 1/3 of errors flagged are false positivesAbout 1/3 of errors flagged are false positives
System.exitSystem.exit Generally due to erroneous control flow (exceptions)Generally due to erroneous control flow (exceptions) Much less frequently due to overestimation of flowsMuch less frequently due to overestimation of flows
April 19, 2023 CHET 56
Experience -- TimingsExperience -- TimingsSystem LOC #BC Proj #BC flow time # Test # Errors Avg Test Max Test Total Time
Onsets 2669 137236 6210 41.47 12 2 7.8 55 01:28.6
Crawler 3562 148510 5502 50.33 32 10 10.2 76 01:27.4
Pinball 11266 380673 65541 173.76 57 11 94.3 971 03:45.6
Freecs 20570 228163 50567 109.77 68 2 10.7 452 03:05.6
Taiga 51945 320453 49134 485.62 197 7 1367.8 257964 14:43.6
Egothor 54317 744304 255770 545.537 819 178 3.9 253 22:13.2
Clime 67573 580707 124925 862.36 789 29 17.2 2140 24:16.2
Jalopy 94636 639310 348843 1697.79 36 9 18.5 222 31:32.1
Openjms 95470 468754 34951 584.79 55 46 75.1 1244 11:16.3
April 19, 2023 CHET 57
For More InformationFor More Information Steven Reiss Steven Reiss
[email protected]@cs.brown.edu Software, papers, etcSoftware, papers, etc
http://www.cs.brown.edu/people/sprhttp://www.cs.brown.edu/people/spr
April 19, 2023 CHET 58
Questions / CommentsQuestions / Comments