[PPT] - !"#$%&'()*+,$-$"+)'$.$ !"#$/()0$123'04$ PowerPoint Presentation

SLIDE 1

!"#$%&'()*+,$-$"+)'$.$ !"#$/()0$123'04$

5,,04$6330)$ 1'0,,078(39:$;7<0)3'2$ =(3'$(>$':0$3,?03$82$"0'0)$=0:,'@$

SLIDE 2

A<0)<*0B$

CD+4E,03$
5:+'$*3$!"#F$
CD'07?*7G$!"#$

– H3'070)3$ – I2'09(?0$#+9'()03$ – =(?0,$9,+3303$

J0K7G$3'+)'0?$

– L(B7,(+?M$N73'+,,$+7?$O&7$P7$C9,E30Q$

J((G,0$1&440)$(>$/(?0$

SLIDE 3

5:+'$*3$!"#F$

3&)E)*3*7G,2$:+)?$'($3&44+)*@0$-$9+7$80$&30?$>()$4+72$':*7G3$
0D'073*8,0$<*)'&+,$4+9:*70$>)+40B()R$>()$!+<+$82'09(?0$<0)*S9+T(7U$

B()R8079:$'($0V9*07',2$*4E,0407'$+,,$R*7?3$(>$<0)*S9+T(7$'((,3$

'2E*9+,$&30$9+303U$$

– 3(WB+)0$4(?0,$9:09R*7G$P?0+?,(9R$X$)+90$?0'09T(7Q$ – ?00E$*73E09T(7$P7&40)*9$+7+,23*3M$*7<+,*?$+99033Q$ – '03'$9+30$G070)+T(7$P3248(,*9$0D09&T(7Q$ – YYY$+7?$4+72$4()0$$

SLIDE 4

Z*3'()2$(>$!"#$

7('$+$70B$E)([09'U$+)(&7?$>()$.\$20+)3$+7?$

9(7T7&(&3,2$?0<0,(E0?U$

– .]]]$-$E)([09'$3'+)'0?$+3$>)(7'$07?$>()$1E7$4(?0,$9:09R0)$ – ^\\\$-$)04E,0407'+T(7$+3$9(79)0'0$<)'&+,$4+9:70$>()$ 3(WB+)0$4(?0,$9:09R7G$P9(79&))0792$?0>09'3Q$ – ^\\_$-$7')(?&9T(7$(>$0D'073(7$7'0)>+903$ – ^\\`$-$(E07$3(&)90?$(7$1(&)90>()G0$ – ^\\a$-$E+)T9E+T(7$7$J((G,0$1&440)$(>$/(?0$ – ^\\]$-$4(<0?$'($(B7$30)<0)M$:(3T7G$0D'073(7$E)([09'3$ +7?$5R*$$

SLIDE 5

;30)3F$

4+[()$&30)$G)(&E$*3$+9+?04*9$)030+)9:$-$9(,,+8()+T(73$B*':$b^\$

&7*<0)3*T03$B(),?B*?0$P&*&9Y0?&M$&7,Y0?&M$82&Y0?&M$&47Y0?&M$1'0,,078(39:$ c+M$5+'0),(($/+M$dN1%$!EM$/:+),03$;7*<0)3*'2$")+G&0$/@M$YYQ$

9(4E+7*03$7('$3($(&'3E(R07$P0D90ET(7$#&[*'3&$-$300$E)033$)0,0+303M$0YGY$

:eEUffBBBY>&[*'3&Y9(4fG,(8+,f70B3fE)f+)9:*<03f4(7':f ^\.\f^\.\\..^-\^Y:'4,Q$M$8&'$&30?$82$30<0)+,$#()'&70$`\\$9(4E+7*03$

,('3$(>$P4(3',2Q$+7(724(&3$+7?$E)*<+'0$&30)3$Pg.\\\$:*'3f?+2$(7$B083*'0M$

g.\$?(B7,(+?3f?+2M$gh\$)0+?$')+73+9T(73f?+2M$*7*T+,,2$h\\\$?(B7,(+?3f 4(7':Q$

4+72$&303$*73*?0$id1dM$8&'$4(3',2$4(?0,$<0)*S9+T(7$+'$d403$O030+)9:$

/07'0)$

SLIDE 6

dB+)?3$

B*?0,2$)09(G7*@0?M$+B+)?3$>()$!"#$*7$G070)+,$+7?$>()$

)0,+'0?$B()RM$'0+4$+7?$7?<*?&+,3$

– ^\\_$-$j%&)77G$J(+,3$7'($O0+,'2k$P%JNOQ$C7G700)7G$ N77(<+T(7$dB+)?$>)(4$':0$AV90$(>$d0)(1E+90$ %09:7(,(G2$ – ^\\lM$^\\`$-$d403$/(7')+9'()$/(&79,$dB+)?3$ – ^\\m$-$NI=n3$Z+>+$60)S9+T(7$/(7>0)0790$PZ6/Q$+B+)?$ – ^\\]$-$jA&'3'+7?*7G$%09:7(,(G2$L0<0,(E407'k$+B+)?$(>$ ':0$#0?0)+,$H+8()+'()2$/(73()T&4$>()$%09:7(,(G2$%)+73>0)$ P#H/Q$

SLIDE 7

i($#)00$H&79:$

2(&$700?$'($,0+)7$

– !"#$3$7('$+$,G:'B0G:'$'((,$ – o0D8*,'2$:+3$'3$E)90$-$9(7SG&)+T(7$9+7$80$7T4?+T7G$ – 4G:'$)0p&)0$0D'073(7$>()$2(&)$1;%$PE)(E0)T03M$,8)+)03Q$

2(&$B*,,$079(&7'0)$&7*4E,0407'0?f4*33*7G$E+)'3$

P0YGY$;73+T3S0?H*7RC))()Q$

– &3&+,,2$0+32$'($4E,0407'$ – 0D90ET(7U$3'+'0-)0,0<+7'$7+T<0$,8)+)03$P[+<+Y(M$[+<+Y70'Q$ – 9+7$80$0*':0)$4(?0,0?$()$3'&880?$

2(&$700?$3&*'+8,0$'03'$?)*<0)3$

SLIDE 8

!"#q3$Z(40$

:eEUff8+80,S3:Y+)9Y7+3+YG(<f')+9f[E>$

!"#q3$;30)$#()&4$

:eEUffG)(&E3YG((G,0Y9(4fG)(&Ef[+<+-E+':S7?0)$

SLIDE 9

9

5:0)0$'($,0+)7$4()0$-$':0$!"#-5R$

SLIDE 10

r02$"(*7'3$

!"#$*3$)030+)9:$E,+s()4$!"#$E)(?&9T(7$'((,$P8+3*3Q$
!"#$*3$?03*G70?$>()$0D'073*8*,*'2$
!"#$*3$(E07$3(&)90$
!"#$*3$+7$(7G(*7G$9(,,+8()+T<0$?0<0,(E407'$E)([09'$$
!"#$9+77('$S7?$+,,$8&G3$

$$$$$-$8&'$+3$(>$'(?+2$-$ $$$$$$$$$$$3(40$(>$':0$4(3'$0DE073*<0$8&G3$(7,2$!"#$9+7$S7?$

!"#$*3$4(?0)+'0,2$3*@0?$323'04$Pg^\\R3,(9$9()0$t$0D'073*(73Q$
!"#$)0E)0307'3$b^\$4+7$20+)$?0<0,(E407'$0u()'$
!"#$*3$E&)0$!+<+$+EE,*9+T(7$PE,+s()4$*7?0E07?07'Q$

SLIDE 11

11

dEE,*9+T(7$%2E03$

SLIDE 12

CD+4E,03$

3(WB+)0$4(?0,$9:09R*7G$P1=/Q$(>$E)(?&9T(7$9(?0$

– ?+'+$+9p&*3*T(7$P)+7?(4M$&30)$*7E&'Q$ – 9(79&))0792$P?0+?,(9RM$)+903Q$

?00E$*73E09T(7$(>$E)(?&9T(7$9(?0$

– E)(E0)'2$+77('+T(73$P/(73'M$"8/MYYQ$ – 7&40)*9$<0)*S9+T(7$P(<0)o(BM$9+790,,+T(7Q$

4(?0,$<0)*S9+T(7$

– ;=H$3'+'09:+)'3$

'03'$9+30$G070)+T(7$

@Const int dontChangeMe() {..} double x = (y - z) * c numeric error of x?

SLIDE 13

!"#$+7?$':0$Z(3'$!6=$

<0)*S0?$!+<+$E)(G)+4$*3$0D09&'0?$82$!"#M$B:*9:$*3$+$<*)'&+,$

4+9:70$4E,0407'0?$7$!+<+M$Y0Y$)&73$(7$'(E$(>$+$:(3'$!6=$ ⇒$0+32$'($G0'$9(7>&30?$+8(&'$B:($0D09&'03$B:+'$

SLIDE 14

!"#$1')&9'&)0$

SLIDE 15

L*)09'()2$$ 1')&9'&)0$

+,,$!"#$E)([09'3$3:+)0$

&7*>()4$?*)09'()2$,+2(&'$

8*7+)2$?*3')*8&T(73$+)0$

3,*903$(>$3(&)90$ ?*3')*8&T(73$ P*7'0)9:+7G0+8,0Q$

_)?$E+)'2$'((,3$X$,*8)+)*03$

9+7$80$*79,&?0?$P30,>- 9(7'+*70?Q$

+,,$E)([09'3$:+<0$0D+4E,03$

+7?$)0G)033*(7$'03'$3&*'03$ P0<07'&+,,2$Q$

E)([09'3$:+<0$(&'-(>-':0-

8(D$ NLC$9(7SG&)+T(7$ PiIMC9,*E30Q$

SLIDE 16

!"#$%(E-,0<0,$1')&9'&)0$

'B($4+[()$9(73')&9'3U$

10+)9:$+7?$!6=$

!6=$E)(?&903$$

E)(G)+4$$ 3'+'03$

10+)9:$*3$':0$$

!6=$?)*<0)$

SLIDE 17

10+)9:$"(,903$

3'+'0$0DE,(3*(7$4*TG+T(7U$30+)9:$':0$*7'0)03T7G$3'+'0$3E+90$E+)'$

S)3'$PjG0'$'($':0$8&G$0+),2M$80>()0$)&77*7G$(&'$(>$404()2kQ$

10+)9:$*73'+7903$079+E3&,+'0$P9(7SG&)+8,0Q$30+)9:$E(,*9*03$

SLIDE 18

CDE,()7G$/:(903$

4(?0,$9:09R0)$700?3$9:(*903$'($0DE,()0$3'+'0$3E+90$
':0)0$+)0$4+72$E('07T+,$'2E03$(>$9:(*903$P39:0?&,*7GM$?+'+M$YYQ$
9:(*90$'2E03$3:(&,?$7('$80$:+)?B*)0?$*7$4(?0,$9:09R0)$

SLIDE 19

/:(*90$J070)+'()3$

')+73*T(73$80G*7$B*':$+$9:(*90$+7?$0D'07?$&7T,$':0$70D'$

/:(90J070)+'()$P/JQ$3$30'$P82$73')&9T(7M$7+T<0$E00)$()$,3'070)Q$

+?<+790$E(3*T(73$':0$/J$(7$':0$70D'$&7E)(90330?$9:(*90$P*>$+72Q$
8+9R')+9R$G(03$&E$'($':0$70D'$/J$B*':$&7E)(90330?$9:(*903$
/:(*90$J070)+'()3$+)0$9(7SG&)+8,0$+3$B0,,M$*Y0Y$9)0+'0$2(&)$(B7$

SLIDE 20

H3'070)3M$':0$!"#$",&G73$

SLIDE 21

H*3'070)3$N4E,0407'+T(7$

SLIDE 22

CD+4E,0$H3'070)$ /:09R7G$i(7i&,,$d77('+T(7$(7$O0'&)7$

public class NonnullChecker extends ListenerAdapter { ... public void executeInstruction (JVM vm) { Instruction insn = vm.getLastInstruction(); ThreadInfo ti = vm.getLastThreadInfo(); if (insn instanceof ARETURN) { // check @NonNull method returns ARETURN areturn = (ARETURN)insn; MethodInfo mi = insn.getMethodInfo(); if (areturn.getReturnValue(ti) == null) { if (mi.getAnnotation(“java.annotation.Nonnull”) != null) { Instruction nextPc = ti.createAndThrowException( "java.lang.AssertionError", "null return from @Nonnull method: " + mi.getCompleteName()); ti.setNextPC(nextPC); return; } } ...

SLIDE 23

I2'09(?0$N73')&9T(7$#+9'()*03$

SLIDE 24

CD+4E,0$v$I2'09(?0$#+9'()2$

E)(<*?0$+,'0)7+T<0$N73')&9T(7$9,+3303$>()$)0,0<+7'$82'09(?03$
9)0+'0$X$9(7SG&)0$N73')&9T(7#+9'()2$':+'$*73'+7T+'03$':04$

void notSoObvious(int x){ int a = x*50; int b = 19437583; int c = a; for (int k=0; k<100; k++){ c += b; System.out.println(c); }} ... notSoObvious(21474836); ... [20] iinc [21] goto 10 [10] iload_4 [11] bipush [12] if_icmpge 22 [13] iload_3 [14] iload_2 [15] iadd ... class IADD extends Instruction { Instruction execute (.., ThreadInfo ti) { int v1 = ti.pop(); int v2 = ti.pop(); int res = v1 + v2; if ((v1>0 && v2>0 && res<=0) …throw ArithmeticException..

JPF configuration!

vm.insn_factory.class = .numeric.NumericInstructionFactory

class loading! compiler! code execution! (by JPF)!

SLIDE 25

=!N$-$=(?0,-!+<+-N7'0)>+90$

0D09&T(7$,(B0)*7G$>)(4$!"#$0D09&'0?$9(?0$*7'($!6=$0D09&'0?$9(?0$

SLIDE 26

=!N$-$N4E,0407'+T(7$

SLIDE 27

=!N$-$CD+4E,0$

public class JPF_java_lang_String { ! ... ! public static int indexOf__I__I (MJIEnv env, int objref, int c) { ! int vref = env.getReferenceField(objref, "value"); ! int off = env.getIntField(objref, "offset"); ! int len = env.getIntField(objref, "count"); ! for (int i=0, j=off; i<len; i++, j++){ ! if ((int)env.getCharArrayElement(vref, j) == c) ! return i; ! } ! return -1; ! } ! public static int toCharArray_____3C (MJIEnv env, int objref){ ! ... ! int cref = env.newCharArray(len); ! for (int i=0, j=off; i<len; i++, j++){ ! env.setCharArrayElement(cref, i, env.getCharArrayElement(vref, j)); ! } ! return cref; ! } ! public static boolean matches__Ljava_lang_String_2__Z(MJIEnv env,int objRef, int regexRef) { ! String s = env.getStringObject(objRef); ! String r = env.getStringObject(regexRef); ! return s.matches(r); ! }!

SLIDE 28

^a$

A8'+77G$!"#$

=0)9&)*+,$)0E(3*'()*03$(7$$

$$:eEUff8+80,S3:Y+)9Y7+3+YG(<f:Gf[E>fw[E>-9()0M[E>- +E)(EMYYYx$

C9,*E30$1'0E3$

P.Q $J0'$=0)9&)*+,$$

P.Q $C9,*E30$;E?+'0$3*'0U$:eEUff9803Y[+<+>()G0Y9(4f&E?+'0$$

P^Q $J0'$[E>-9()0$

P.Q $File – Import – Mercurial - Clone repository using Mercurial - Next$$ P^Q $1E09*>2$:eEUff8+80,S3:Y+)9Y7+3+YG(<f:Gf[E>f[E>-9()0$$ P_Q $/:09R$':0$8(D$>()$n10+)9:$>()$YE)([09'$S,03$*7$9,(70$+7?$&30$':04$ '($9)0+'0$E)([09'3n$$ PlQ $#*7*3:$

P_Q $I&*,?$

P.Q $Project – Properties - Select Builders - Ant Builder - Click Edit P^Q $Click JRE tab - Separate JREs - Installed JREs P_Q $Pick a JDK 1.6xxxy!OC$B*,,$7('$S7?$[+<+9$

SLIDE 29

O&77*7G$!"#$P.Q$

/)0+'0$site.properties$*7$$(user.home)/.jpf

– A70$,*70$*3$07(&G:$>()$7(BU$ – $(user.home)/My Documents/workspace/jpf-core

N73'+,,$C9,*E30$",&G*7$P>)(4$':0$B083*'0$?039)*ET(7Q$

– C73&)0$':+'$2(&$+)0$)&777G$C9,E30$bz$_Y`$PJ+,,0(Q$ – N7$C9,E30$G($'($Z0,E$-b$N73'+,,$i0B$1(WB+)0$ – N7$':0$70B$B7?(B$30,09'0?${d??{$ – %:0$7+40$3$&E$'($2(&$8&'M$30'${H(9+T(7{$'($ :eEUff8+80,S3:Y+)9Y7+3+YG(<f')+9f[E>f)+B-+e+9:407'fBRf 73'+,,f09,E30-E,&G7f&E?+'0f$ – #)(4$':0${5()R$B':U{$?)(E$?(B7$407&$30,09'$':0$&E?+'0$3'0$ ':+'$2(&$[&3'$07'0)0?$>)(4$':0$E)0<(&3$3'0E$ – /:09R$':0${C9,E30-!"#{$9:09R$8(DM$30,09'${i0D'{$+7?$G($':)(&G:$ ':0$73'+,,$E)(9033Y$

SLIDE 30

O&77*7G$!"#$P^Q$

O*G:'$9,*9R$(7$|Y[E>$S,0$+7?$E*9R$j60)*>2k$

– J($'($src/examples$+7?$)G:'$9,9R$(7$

ldclassic.jpf

– 1:(&,?$300$+$?0+?,(9R}$

SLIDE 31

/(7SG&)*7G$!"#$

+,4(3'$7(':*7G$*7$!"#$*3$:+)?B*)0?$⇒$G)0+'$o0D*8*,*'2$8&'$9(7SG$9+7$80$

*7T4*?+T7G$

+,,$(>$!"#3$9(7SG&)+T(7$*3$?(70$':)(&G:$!+<+$E)(E0)T03$

P8&'$B*':$3(40$0D'07?0?$E)(E0)'2$S,0$>()4+'Q$

– R02B()?$0DE+73*(7$$jpf-root = ${user.home}/jpf$

E)0<*(&3,2$?0S70?$E)(E0)T03$
323'04$E)(E0)T03$

– +EE07?$$extensions+=,jpf-aprop$ – E)0E07?$$$+peer_packages=jpf-symbc/build/peers,$ – ?*)09T<03$

?0E07?079*03$$@requires jpf-awt$
)09&)3*<0$,(+?*7G$$@include ../jpf-symbc/jpf.properties$
:*0)+)9:*9+,$E)(9033$

– 323'04$?0>+&,'3$P>)(4$[E>Y[+)Q$ – 3*'0YE)(E0)T03$ – E)([09'$E)(E0)T03$>)(4$+,,$3*'0$9(7SG&)0?$E)([09'3$P~E)([09'-?*)bf[E>YE)(E0)T03Q$ – 9&))07'$E)([09'$E)(E0)T03$PYf[E>YE)(E0)T03Q$ – 30,09'0?$+EE,*9+T(7$E)(E0)T03$S,0$P|Y[E>Q$ – 9(44+7?$,*70$+)G3$P0YGY$$$bin/jpf +listener=.listeners.ExecTracker ...Q$

no space between key and ‘+’ !!

SLIDE 32

/(7SG&)+T(7$9(7'Y$

SLIDE 33

O&77*7G$!"#$

>()$E&)*3'3$P'0?*(&3M$?($(7,2$*>$2(&$:+<0$'(Q$

– 30K7G$&E$9,+33E+':3$$>export CLASSPATH=...jpf-core/build/jpf.jar...$ – *7<(R*7G$!6=$$$>java gov.nasa.jpf.JPF +listener=... x.y.MySUT $

&3*7G$3*'0$9(7SG$+7?$3'+)'0)$[+)3$P4&9:$0+3*0)$+7?$E()'+8,0Q$

– 0DE,*9*',2$$>java -jar tools/RunJPF.jar MySUT-verify.jpf$ – &3*7G$39)*E'3$$>bin/jpf MySUT-verify.jpf

)&77*7G$!"#$>)(4$B*':*7$!;7*'$
)&77*7G$!"#$>)(4$2(&)$E)(G)+4$P'((,3$&3*7G$!"#Q$
&3*7G$i0'I0+73$()$C9,*E30$E,&G*73$

– j60)*>2YYk$9(7'0D'$407&$*'04$>()$30,09'0?$|Y[E>$+EE,*9+T(7$E)(E0)'2$S,0$ – &3*7G$E)(<*?0?$,+&79:$9(7SG3$PC9,*E30Q$()$)&7$'+)G0'3$Pi0'I0+73Q$

SLIDE 34

!"#$+7?$!;7*'$

?0)*<0$2(&)$'03'$9+303$>)(4$

gov.nasa.jpf.util.test.TestJPF

)&7$7()4+,,2$&7?0)$!;7*'$()$>)(4$d7'$<junit ..> '+3R$
80$+B+)0$(>$':+'$'03'$9+30$*3$)&7$82$!6=$!"#$!"#$

public class ConstTest extends TestJPF { ! static final String[] JPF_ARGS = { "+listener=.aprop.listener.ConstChecker" }; ! //--- standard driver to execute single test methods ! public static void main(String[] args) { ! runTestsOfThisClass(args); ! } ! //--- the test methods ! @Test ! public void testStaticConstOk () { ! if (verifyNoPropertyViolation(JPF_ARGS)){" ConstTest.checkThis();! } }! ...!

code checked by JPF! Verification goal!

SLIDE 35

1&440)$")([09'3$

]$J((G,0$1&440)$(>$/(?0$")([09'3$
`$d403$*7'0)73:*E3$
.$#&[*'3&$*7'0)73:*E$

http://babelfish.arc.nasa.gov/trac/jpf/wiki/summer-projects/start!

SLIDE 36

/(79,&3*(73$

!"#$*3$+$:*G:,2$0D'073*8,0$'((,$3&*'0$
N'$*3$7(B$.\$20+)3$(,?$+7?$:+3$8007$(E07$

3(&)90$>()$:+,>$':+'$T40$

1($E,0+30M$&30$*'M$9:+7G0$*'y$
/(7'+9'$>()$4()0$*7>()4+T(7$

– "0'0)$=0:,'@$$PE0'0)Y9Y40:,'@7+3+YG(<Q$ – i0:+$O&7G'+$P70:+Y3Y)&7G'+7+3+YG(<Q$ – /()7+$"+3+)0+7&$P/()7+Y1Y"+3+)0+7&7+3+YG(<Q$ – 5,,04$6330)$PB,,04G4+,Y9(4Q$

SLIDE 37

JPF Tutorial – Part 2 Symbolic PathFinder – Symbolic Execution of Java Byte-code

Corina Pãsãreanu Carnegie Mellon University/NASA Ames Research

SLIDE 38

Symbolic PathFinder (SPF)

Combines symbolic execution with model checking and constraint

solving to perform symbolic execution

Used mainly for automated test-case generation
Applies to executable models (e.g. Stateflow, UML state-machines)

and to code

Generates an optimized test suite that exercise all the behavior of

the system under test

Reports coverage (e.g. MC/DC)
During test generation process, checks for errors
Uses JPF’s search engine
Applications:

– NASA (JSC’s Onboard Abort Executive, PadAbort-1, Ames K9 Rover Executive, Aero, TacSat -- SCL script generation, testing of fault tolerant systems) – Fujitsu (testing of web applications, 60 000 LOC) – Academia (MIT, U. Minnesota, U. Nebraska, UT Austin, Politecnico di Milano, etc.)

SLIDE 39

Features

SPF handles:

Inputs and operations on booleans, integers, reals
Complex data structures (with polymorphism)
Complex Math functions
Pre-conditions, multi-threading
Preliminary support for: String, bit-vector, and array operations

Allows for mixed concrete and symbolic execution

Start symbolic execution at any point in the program and at any time during

execution Can be used:

As customizable test case generator

– User specifies coverage criterion, e.g..MC/DC – Search strategy, e.g. BFS or DFS – Output format, e.g. HTML tables or JUnit tests

To generate counter-examples to safety properties in concurrent programs
To prove light-weight properties of software
For differential analysis between program versions [FSE’08]

SLIDE 40

Model Checking vs. Testing/Simulation

OK FSM Simulation/ Testing error OK FSM specification Model Checking error trace

Line 5: … Line 12: … … Line 41:… Line 47:…

Model individual state

machines for subsystems / features

Simulation/Testing:

– Checks only some of the system executions – May miss errors

Model Checking:

– Automatically combines behavior of state machines – Exhaustively explores all executions in a systematic way – Handles millions of combinations – hard to perform by humans – Reports errors as traces and simulates them on system models

SLIDE 41

Java PathFinder (JPF)

Explicit state model checker for Java bytecode

– Built on top of custom made Java virtual machine

Focus is on finding bugs

– Concurrency related: deadlocks, (races), missed signals etc. – Java runtime related: unhandled exceptions, heap usage, (cycle budgets) – Application specific assertions

JPF uses a variety of scalability enhancing mechanisms

– user extensible state abstraction & matching – on-the-fly partial order reduction – configurable search strategies – user definable heuristics (searches, choice generators)

Recipient of NASA “Turning Goals into Reality” Award, 2003.
Open sourced:

– <javapathfinder.sourceforge.net> – ~14000 downloads since publication

Largest application:

– Fujitsu (one million lines of code)

SLIDE 42

King [Comm. ACM 1976], Clarke [IEEE TSE 1976]
Analysis of programs with unspecified inputs

– Execute a program on symbolic inputs

Symbolic states represent sets of concrete states
For each path, build a path condition

– Condition on inputs – for the execution to follow that path – Check path condition satisfiability – explore only feasible paths

Symbolic state

– Symbolic values/expressions for variables – Path condition – Program counter

Symbolic Execution

SLIDE 43

x = 1, y = 0! 1 > 0 ? true! x = 1 + 0 = 1! y = 1 – 0 = 1! x = 1 – 1 = 0! 0 > 1 ? false! int x, y;! if (x > y) {! x = x + y;! y = x – y;! x = x – y;! if (x > y)! assert false;! }! Concrete Execution Path! Code that swaps 2 integers!

Example – Standard Execution

SLIDE 44

[PC:true]x = X,y = Y! [PC:true] X > Y ? ! [PC:X>Y]y = X+Y–Y = X! [PC:X>Y]x = X+Y–X = Y! [PC:X>Y]Y>X ?!

int x, y;! if (x > y) {! x = x + y;! y = x – y;! x = x – y;! if (x > y)! assert false;! }!

Code that swaps 2 integers: Symbolic Execution Tree: [PC:X"Y]END ! [PC:X>Y]x= X+Y!

false! true!

[PC:X>Y!Y"X]END ! [PC:X>Y!Y>X]END !

false! true!

path condition

Example – Symbolic Execution

False!! Solve path conditions ! test inputs

SLIDE 45

JPF-core’s search engine used

– To generate and explore the symbolic execution tree – To also analyze thread inter-leavings and other forms of non-determinism that might be present in the code

No state matching performed – some abstract state matching
The symbolic search space may be infinite due to loops, recursion

– We put a limit on the search depth

Off-the-shelf decision procedures/constraint solvers used to check path

conditions

– Search backtracks if path condition becomes infeasible

Generic interface for multiple decision procedures

– Choco (for linear/non-linear integer/real constraints, mixed constraints), http://sourceforge.net/projects/choco/ – IASolver (for interval arithmetic) http://www.cs.brandeis.edu/~tim/Applets/IAsolver.html – CVC3 http://www.cs.nyu.edu/acsys/cvc3/ – Other constraint solvers: HAMPI, randomized solvers for complex Math constraints – work in progress

Symbolic PathFinder

SLIDE 46

Implementation

SPF implements a non-standard interpreter of byte-codes

– To enable JPF-core to perform symbolic analysis – Replaces or extend standard concrete execution semantics of byte- codes with non-standard symbolic execution

Symbolic information:

– Stored in attributes associated with the program data – Propagated dynamically during symbolic execution

Choice generators:

– To handle non-deterministic choices in branching conditions during symbolic execution

Listeners:

– To print results of symbolic analysis (path conditions, test vectors or test sequences); to influence the search

Native peers:

– To model native libraries, e.g. capture Math library calls and send them to the constraint solver

SLIDE 47

An Instruction Factory for Symbolic Execution of Byte-codes

JPF core:

– Implements concrete execution semantics based on stack machine model – For each method that is executed, maintains a set of Instruction objects created from the method byte-codes

We created SymbolicInstructionFactory

– Contains instructions for the symbolic interpretation of byte-codes – New Instruction classes derived from JPF’s core – Conditionally add new functionality; otherwise delegate to super-classes – Approach enables simultaneous concrete/symbolic execution

SLIDE 48

Attributes for Storing Symbolic Information

Program state:

– A call stack/thread:

Stack frames/executed methods
Stack frame: locals & operands

– The heap (values of fields) – Scheduling information

We used previous experimental JPF extension of slot attributes

– Additional, state-stored info associated with locals & operands on stack frame

Generalized this mechanism to include field attributes
Attributes are used to store symbolic values and expressions created during

symbolic execution

Attribute manipulation done mainly inside JPF core

– We only needed to override instruction classes that create/modify symbolic information – E.g. numeric, compare-and-branch, type conversion operations

Sufficiently general to allow arbitrary value and variable attributes

– Could be used for implementing other analyses – E.g. keep track of physical dimensions and numeric error bounds or perform DART-like execution (“concolic”)

SLIDE 49

Handling Branching Conditions

Symbolic execution of branching conditions involves:

– Creation of a non-deterministic choice in JPF’s search – Path condition associated with each choice – Add condition (or its negation) to the corresponding path condition – Check satisfiability (with Choco, IASolver, CVC3 etc.) – If un-satisfiable, instruct JPF to backtrack

Created new choice generator

public class PCChoiceGenerator extends IntIntervalGenerator { PathCondition[] PC; … }

SLIDE 50

Example: IADD

public class IADD extends Instruction { … public Instruction execute(… ThreadInfo th){ int v1 = th.pop(); int v2 = th.pop(); th.push(v1+v2,…); return getNext(th); } } public class IADD extends ….bytecode.IADD { … public Instruction execute(… ThreadInfo th){ Expression sym_v1 = ….getOperandAttr(0); Expression sym_v2 = ….getOperandAttr(1); if (sym_v1 == null && sym_v2 == null) // both values are concrete return super.execute(… th); else { int v1 = th.pop(); int v2 = th.pop(); th.push(0,…); // don’t care … ….setOperandAttr(Expression._plus( sym_v1,sym_v2)); return getNext(th); } } }

Concrete execution of IADD byte-code: Symbolic execution of IADD byte-code:

SLIDE 51

Example: IFGE

public class IFGE extends Instruction { … public Instruction execute(… ThreadInfo th){ cond = (th.pop() >=0); if (cond) next = getTarget(); else next = getNext(th); return next; } } public class IFGE extends ….bytecode.IFGE { … public Instruction execute(… ThreadInfo th){ Expression sym_v = ….getOperandAttr(); if (sym_v == null) // the condition is concrete return super.execute(… th); else { PCChoiceGen cg = new PCChoiceGen(2);… cond = cg.getNextChoice()==0?false:true; if (cond) { pc._add_GE(sym_v,0); next = getTarget(); } else { pc._add_LT(sym_v,0); next = getNext(th); } if (!pc.satisfiable()) … // JPF backtrack else cg.setPC(pc); return next; } } } Concrete execution of IFGE byte-code: Symbolic execution of IFGE byte-code:

SLIDE 52

Lazy initialization for recursive data structures [TACAS’03]

and arrays [SPIN’05]

JPF-core used

– To generate and explore the symbolic execution tree – Non-determinism handles aliasing

Explore different heap configurations explicitly
Implementation:

– Lazy initialization via modification of GETFIELD, GETSTATIC bytecode instructions – Listener to print input heap constraints and method effects (outputs)

Handling Input Data Structures

SLIDE 53

Example

class Node { int elem; Node next; Node swapNode() { if (next != null) if (elem > next.elem) { Node t = next; next = t.next; t.next = this; return t; } return this; } }

? null E0 E1 E0 E0 E1 null E0 E1 ? E0 E1 E0 E1

Input list + Constraint Output list

E0 > E1 none E0 <= E1 none E0 > E1 E0 > E1 E0 > E1 E1 E0 ? E1 E0 E1 E0 E1 E0 null E0 E1 E0 ? null

NullPointerException

SLIDE 54

Lazy Initialization (illustration)

E0 next E1 next t null t E0 next E1 next ? next E0 next E1 t next E0 next E1 next t E0 next E1 next t

consider executing

next = t.next;

Precondition: acyclic list

E0 E1 next t null next t E0 E1 next ? next next

SLIDE 55

Generating Test Sequences with Symbolic PathFinder

Java component (Binary Search Tree, UI) add(e) remove(e) find(e) Interface Generated test sequence: BinTree t = new BinTree (); t.add(1); t.add(2); t.remove(1);

Listener SymbolicSequenceListener used to generate JUnit tests:

– method sequences (up to user-specified depth) – method parameters

JUnit tests can be run directly by the developers
Measure coverage
Support for abstract state matching
Extract specifications

SLIDE 56

Application: Onboard Abort Executive (OAE)

Prototype for CEV ascent abort handling being developed by JSC GN&C

Inputs Pick Highest Ranked Abort Checks Flight Rules to see if an abort must occur Select Feasible Aborts

OAE Structure

Results

Baseline

– Manual testing: time consuming (~1 week) – Guided random testing could not cover all aborts

Symbolic PathFinder

– Generates tests to cover all aborts and flight rules – Total execution time is < 1 min – Test cases: 151 (some combinations infeasible) – Errors: 1 (flight rules broken but no abort picked) – Found major bug in new version of OAE – Flight Rules: 27 / 27 covered – Aborts: 7 / 7 covered – Size of input data: 27 values per test case

Integration with End-to-end Simulation

– Input data is constrained by environment/physical laws Example: inertial velocity can not be 24000 ft/s when the geodetic altitude is 0 ft – Need to encode these constraints explicitly – Solution: Use simulation runs to get data correlations -- as a result, we eliminated some test cases that were impossible

Paper at ISSTA conference 2008

SLIDE 57

Generated Test Cases and Constraints

Test cases:

// Covers Rule: FR A_2_A_2_B_1: Low Pressure Oxodizer Turbopump speed limit exceeded // Output: Abort:IBB CaseNum 1; CaseLine in.stage_speed=3621.0; CaseTime 57.0-102.0; // Covers Rule: FR A_2_A_2_A: Fuel injector pressure limit exceeded // Output: Abort:IBB CaseNum 3; CaseLine in.stage_pres=4301.0; CaseTime 57.0-102.0; …

Constraints:

//Rule: FR A_2_A_1_A: stage1 engine chamber pressure limit exceeded Abort:IA

PC (~60 constraints): in.geod_alt(9000) < 120000 && in.geod_alt(9000) < 38000 && in.geod_alt(9000) < 10000 && in.pres_rate(-2) >= -2 && in.pres_rate(-2) >= -15 && in.roll_rate(40) <= 50 && in.yaw_rate(31) <= 41 && in.pitch_rate(70) <= 100 && …

SLIDE 58

Orion orbits the moon (Image Credit: Lockheed Martin).

Test-Case Generation for UML and Simulink/Stateflow Models

SLIDE 59

23

Application: Test Generation for the TTEthernet Protocol

Shown: Minimal configuration for testing agreement in TTEthernet

SLIDE 60

Tool Information

SPF is available from

http://babelfish.arc.nasa.gov/trac/jpf

You will need both jpf-core and jpf-symbc
Tool documentation can be found at:

http://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-symbc/doc

File .jpf/site.properties must contain the following lines:

# modify to point to the location of jpf-symbc on your computer jpf-symbc = ${user.home}/workspace/jpf-symbc extensions+=,${jpf-symbc}

SLIDE 61

Example.java

packageexamples; publicclassExample{ publicstaticvoidmain(String[]args){

Example ex=newExample();
ex.foo(2,1);

} publicintfoo(intx,inty){

if(x>y) {
System.out.println("First");
returnx;
}
else {
System.out.println("Second");

returny;

}

} }

SLIDE 62

Example.jpf

target=examples.Example # here write your own classpath and un-comment # classpath=/home/user_name/example-project/bin symbolic.method= examples.Example.foo(sym#con) # listener to print information: PCs, test cases listener = gov.nasa.jpf.symbc.SymbolicListener # The following JPF options are usually used for SPF as well: # no state matching vm.storage.class=nil # do not stop at first error search.multiple_errors=true

SLIDE 63

Results

Running Symbolic PathFinder ... symbolic.dp=choco symbolic.minint=-100 symbolic.maxint=100 symbolic.minreal=-1000.0 symbolic.maxreal=1000.0 symbolic.undefined=0 JavaPathfinder v5.x - (C) RIACS/NASA Ames Research Center ====================================================== system under test application: examples/Example.java ====================================================== search started: 7/9/10 8:23 AM First PC # = 1 x_1_SYMINT[2] > CONST_1 SPC # = 0 **************************** Second PC # = 1 x_1_SYMINT[-100] <= CONST_1 SPC # = 0 **************************** ====================================================== Method Summaries Symbolic values: x_1_SYMINT foo(2,2) --> Return Value: x_1_SYMINT foo(-100,-100) --> Return Value: 1 ====================================================== Method Summaries (HTML) <h1>Test Cases Generated by Symbolic Java Path Finder for foo (Path Coverage) </h1> <table border=1> <tr><td>x_1_SYMINT</td></tr> <tr><td>2</td><td>2</td><td>Return Value: x_1_SYMINT</td></tr> <tr><td>-100</td><td>-100</td><td>Return Value: 1</td></tr> </table> ====================================================== results no errors detected ====================================================== statistics elapsed time: 0:00:02 states: new=4, visited=0, backtracked=4, end=2 search: maxDepth=3, constraints=0 choice generators: thread=1, data=2 heap: gc=3, new=271, free=22 instructions: 2875 max memory: 81MB loaded code: classes=71, methods=884

SLIDE 64

Options

Specify the search strategy (default is DFS)

search.class = .search.heuristic.BFSHeuristic

Limit the search depth (number of choices along the path)

search.depth_limit = 10

You can specify multiple methods to be executed symbolically as follows:

symbolic.method=<list of methods to be executed symbolically separated by ",">

You can pick which decision procedure to choose (if unspecified, choco is used as default):

symbolic.dp=choco symbolic.dp=iasolver symbolic.dp=cvc3 symbolic.dp=cvc3bitvec symbolic.dp=no_solver (explores an over-approximation of program paths; similar to a CFG traversal)

A new option was added to implement lazy initialization (see [TACAS'03] paper)

symbolic.lazy=on (default is off) -- for now it is incompatible with Strings

New options have been added, to specify min/max values for symbolic variables and also to give the default for

don't care values. symbolic.minint=-100 symbolic.maxint=100 symbolic.minreal=-1000.0 symbolic.maxreal=1000.0 symbolic.undefined=0

Globals (i.e. fields) can also be specified to be symbolic, via special annotations; annotations are also used to

specify preconditions (see src/tests/ExSymExePrecondAndMath.java).

See also other examples in src/tests and src/examples.

SLIDE 65

Comparison with Our Previous Work

JPF– SE [TACAS’03,TACAS’07]:

http://javapathfinder.sourceforge.net (symbolic extension)
Worked by code instrumentation (partially automated)
Quite general but may result in sub-optimal execution

– For each instrumented byte-code, JPF needed to check a set of byte-codes representing the symbolic counterpart

Required an approximate static type propagation to determine which byte-code to

instrument [Anand et al.TACAS’07]

– No longer needed in the new framework, since symbolic information is propagated dynamically – Symbolic JPF always maintains the most precise information about the symbolic nature of the data

[data from Fujitsu: Symbolic JPF is 10 times faster than JPF--SE]

SLIDE 66

Related Work

Model checking for test input generation [Gargantini & Heitmeyer ESEC/FSE’99,

Heimdahl et al. FATES’03, Hong et al. TACAS’02]

– BLAST, SLAM

Extended Static Checker [Flanagan et al. PLDI’02]

– Checks light-weight properties of Java

Symstra [Xie et al. TACAS’05]

– Dedicated symbolic execution tool for test sequence generation – Performs sub-sumption checking for symbolic states

Symclat [d’Amorim et al. ASE’06]

– Context of an empirical comparative study – Experimental implementation of symbolic execution in JPF via changing all the byte-codes – Did not use attributes, instruction factory; handled only integer symbolic inputs

Bogor/Kiasan [ASE’06]

– Similar to JPF—SE, uses “lazier” approach – Does not separate between concrete and symbolic data and doesn’t handle Math constraints

DART/CUTE/PEX [Godefroid et al. PLDI’05, Sen et al. ESEC/FSE’05]

– Do not handle multi-threading; performs symbolic execution along concrete execution – We use concrete execution to set-up symbolic execution

Execution Generated Test Cases [Cadar & Engler SPIN’05]
Other hybrid approaches:

– Testing, abstraction, theorem proving: better together! [Yorsh et al. ISSTA’06] – SYNERGY: a new algorithm for property checking [Gulavi et al. FSE’06]

Etc.

SLIDE 67

Selected Bibliography

[ASE’10] “Symbolic PathFnder: Symbolic Execution for Java Bytecode” – tool paper, C. Pasareanu and N. Rungta [ISSTA’08] “Combining Unit-level Symbolic Execution and System-level Concrete Execution for Testing NASA Software”, C. Pãsãreanu, P. Mehlitz, D. Bushnell,

K. Gundy-Burlet, M. Lowry, S. Person, M. Pape

[FSE’08] “Differential Symbolic Execution”, S. Person, M. Dwyer, S. Elbaum, C. Pãsãreanu [TACAS’07] “JPF—SE: A Symbolic Execution Extenion to Java PathFinder”, S. Anand, C. Pãsãreanu, W. Visser [SPIN’04] “Verification of Java Programs using Symbolic Execution and Invariant Generation”, C. Pãsãreanu, W. Visser [TACAS’03] “Generalized Symbolic Execution for Model Checking and Testing”, S. Khurshid, C. Pãsãreanu, W. Visser

SLIDE 68

Summary

Symbolic PathFinder

– Non-standard interpretation of byte-codes – Symbolic information propagated via attributes associated with program variables, operands, etc. – Available from http://babelfish.arc.nasa.gov/trac/jpf (jpf-symbc)

Applications at NASA, industry, academia
Some current work:

– Parallel Symbolic Execution [ISSTA’10] – String Analysis – with contributions from Fujitsu – Load Testing – Concolic execution (JPF’s concolic extension) Contributed by MIT: David Harvison & Adam Kiezun http://people.csail.mit.edu/dharv/jfuzz

SLIDE 69