Analyzing Java Programs Using Java FAN Feng Chen

Analyzing Java Programs Using Java. FAN Feng Chen Joint work with Azadeh Farzan, Jose Meseguer and Grigore Rosu

Java. FAN (Java Formal Analyzer)

Inside Java Semantics

Java. RL (Java Rewrite Logic) Semantics • An operational semantics • An execution = a sequence of state transitions – State transitions • Equations: deterministic sequential state transitions • Rewrite rules: nondeterministic concurrent state transitions – State definition

Java. State Thread 3 Thread 2 Thread 1 Threads … Shared Resource Source Code

Java. State – Shared Resource Store Input Static Fields Busy Locks Output Counters Shared Resource

Java. State - Definition sort Java. State. op code : Classes -> Java. State. --- source code op t : Thread. Ctrl -> Java. State. --- thread contexts op out : Output -> Java. State. --- output op in : Value. List -> Java. State. --- input op store : Store -> Java. State. --- memory op static : Obj. Env -> Java. State. --- the static fields of classes op busy : Object. Set -> Java. State. --- the locks are in use op next. Loc : Int -> Java. State. --- the next available location op next. Tid : Int -> Java. State. --- the next thread id op __ : Java. State -> Java. State [comm assoc].

Thread. Ctrl Threads Id Continuation Thread 3 Thread 2 Thread 1 Environment … Locks Exception Stack Final Blocks Owner Function Stack Loop Stack

Thread. Ctrl - Definition sorts Thread. Ctrl Flow. Stack. Item Flow. Stack. op id : Int -> Thread. Ctrl. --- the thread id op k : Continuation -> Thread. Ctrl. op obj : Object -> Thread. Ctrl. op fstack : Flow. Stack -> Thread. Ctrl. --- function stack op xstack : Flow. Stack -> Thread. Ctrl. --- exception stack op lstack : Flow. Stack -> Thread. Ctrl. --- loop stack op finalblocks : Flow. Stack -> Thread. Ctrl. --- final blocks op env : Env -> Thread. Ctrl. op holds : Lock. Set -> Thread. Ctrl. --- the locks held by the thread op __ : Thread. Ctrl -> Thread. Ctrl [comm assoc]. subsort Flow. Stack. Item < Flow. Stack. op no. Item : -> Flow. Stack. Item. op fsi : Continuation Thread. Ctrl -> Flow. Stack. Item. op __ : Flow. Stack -> Flow. Stack [assoc id: no. Item].

Continuation: sort Continuation. op stop : -> Continuation. op noop : -> Continuation. op _->_ : Continuation -> Continuation [assoc]. var K : Continuation. eq noop -> K = K. Addition: eq k((E + E') -> K) = k((E, E') -> (+ -> K)). eq k((int(I), int(I')) -> (+ -> K)) = k(int(I + I') -> K).

Environment and Store Environment: mapping from names to locations sort Env. op no. Env : -> Env. op [_, _] : Qid Location -> Env. op __ : Env -> Env [assoc comm id: no. Env]. Store: mapping from locations to values sort Store. op no. Store : -> Store. --- the last bit is used to store thread id --- needed for fine grained concurrency and reclaiming locations op [_, _, _] : Location Value Int -> Store. op __ : Store -> Store [assoc comm id: no. Store].

Example: Store Accesses Fetch a value: eq t(k(#(L) -> K) id(I) tc) store([L, V, I] st) = t(k(V -> K) id(I) tc) store([L, V, I] st). eq t(k(#(L) -> K) id(I) tc) store([L, V, -2] st) = t(k(V -> K) id(I) tc) store([L, V, -2] st). rl t(k(#(L) -> K) id(I) tc) store([L, V, -1] st) => t(k(V -> K) id(I) tc) store([L, V, -1] st). Set a value: eq t(k([V -> L] -> K) id(I) tc) store([L, V', I] st) = t(k(K) id(I) tc) store([L, set. Tid(V, I), I] st). eq t(k([V -> L] -> K) id(I) tc) store([L, V', -2] st) = t(k(K) id(I) tc) store([L, V, -2] st). rl t(k([V -> L] -> K) id(I) tc) store([L, V', -1] st) => t(k(K) id(I) tc) store([L, shared(V), -1] st).

Object Current Type Original Type Fields from Class C 1 Class Type Enclosing Environment Fields from Class C 2 Environment Enclosing Object …

Object - Definition sorts Obj. Env. Item Obj. Env Object. Attribute. subsort Object < Value. op o : Object. Attribute -> Object. op __ : Object. Attribute -> Object. Attribute [comm assoc id: no. Attr]. op no. Attr : -> Object. Attribute. op f : Obj. Env -> Object. Attribute. op curr : Type -> Object. Attribute. op orig : Type -> Object. Attribute. op enc. Env : Env -> Object. Attribute. --- the env of the enclosing block. op __ : Obj. Env -> Obj. Env [comm assoc id: onil]. op onil : -> Obj. Env. op [_] : Obj. Env. Item -> Obj. Env. op t : Type -> Obj. Env. Item. op enc : Object -> Obj. Env. Item. --- the enclosing object op f : Env -> Obj. Env. Item. op inil : -> Obj. Env. Item. op _, _ : Obj. Env. Item -> Obj. Env. Item [comm assoc id: inil].

Access Object Fields --- the owise option allows the system object take effect first, like system. out eq k((E. X) -> K) = k(E -> (. (X) -> K)) [owise]. eq k(o(oattr curr(T)) -> (. (X) -> K)) = k(o(oattr curr(T)) -> (. (X, T) -> K)). eq k(o(oattr curr(T) f([oeitem, t(T), f(([X, L] env))] o. Env)) -> (. (X, T') -> K)) = k(#(L) -> K). eq t(k(o(oattr curr(T)) -> (. (X, T') -> K)) tc) static([t(T), f([X, L] env)] o. Env) = t(k(#(L) -> K) tc) static([t(T), f([X, L] env)] o. Env). eq t(k(o(curr(T) oattr) -> (. (X, T') -> K)) tc) code(Cl) = t(k(o(curr(get. Super(T, Cl)) oattr) -> (. (X, T') -> K)) tc) code(Cl) [owise]. eq k(o(curr(Object) enc. Env([X, L] env) oattr) -> (. (X, T) -> K)) = k(#(L) -> K). eq k(o(oattr curr(Object) f([enc(obj), t(T), oeitem] o. Env)) -> (. (X, T) -> K)) = k(obj -> (. (X) -> K)) [owise].

Demos

Java Analyzer javarl. Java. RL –cls <path> [options] [Main. Class] Options: [-maudecode] [–op <path>] [-mc <path>] [-s deadlock] – -cls <path>: designate the class path, can be a directory or a Java file – -maudecode: generate the Maude module only – -op <path>: write the output to the specified file – -mc <path>: model check the program against the property specified in the property file – -s deadlock: search for deadlocks – Main. Class: the main class in the program; if ignored, the first class with the main function will be used

Interpretation javarl. Java. RL –cls <path> [Main. Class] class Sum { public static void main(String[] args) { int sum = 0; for (int i=0; i<10000; i++) sum += i; System. out. println(sum); } }

Search javarl. Java. RL –cls <path> -s deadlock [Main. Class]

Model Checking javarl. Java. RL –cls <path> -mc <path> [Main. Class]

Property Specification Syntax: Property Atom : : = Atom* Formula : : = "atom" <name> ": " <class. Name> (". " | "@") Boolean. Exp (“/" Boolean. Exp)* Boolean. Exp : : = <field> (">" | ">=" | "<=" | "==") <integer> Formula : : = "formula" ": " <LTL formula> Example: atom readers: data@rnum > 0 atom writers: data@wnum > 0 formula : [](~ (readers / writers))

Property in Maude javarl. Java. RL –cls <path> -maudecode –op <path> op readers : -> Prop. ceq run(store([L, o(obj. Attr f([t(t('data)), f([ 'rnum, L 0 ] env)] o. Env)), I] [L 0, int(I 0), I 0'] store) state) |= readers = true if (I 0 > 0). eq output |= readers = false [owise]. op writers : -> Prop. ceq run(store([L, o(obj. Attr f([t(t('data)), f([ 'wnum, L 0 ] env)] o. Env)), I] [L 0, int(I 0), I 0'] store) state) |= writers = true if (I 0 > 0). eq output |= writers = false [owise]. op program : -> Output. … red model. Check(program, [] ( ~ ( readers / writers ) ) ).

Java. Path. Finder • A VM-based model checker for Java • Customizable via programming – Expressive but requires more effort • http: //javapathfinder. sourceforge. net/

Resource • Official website: http: //javafan. cs. uiuc. edu