Finite Model Generation for Distributed Java Programs Eric

Finite Model Generation for Distributed Java Programs Eric MADELAINE Rabea BOULIFA OASIS team INRIA Sophia-Antipolis, France Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Context • Analysis and verification software platform for distributed Java applications. Pervasive and mobile computing, e-commerce, grid computing • Long term goal: full language, usable by non-specialists • Automatic tools = static analysis, model-checkers, equiv / preorder checkers. Graphical / Logical Specifications Code analysis Automatic tools, diagnostics, etc. Finite model This talk. Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

• Software verification: ESC-Java, CADP, Slam, Blast, Feaver, Bandera, JPF • So, what’s special with distributed applications ? – Asynchronous communication » error-prone, state explosion – Structured: composition of distributed components » hierarchical construction / reduction / analysis of models » bisimulation semantics – Well-defined, architecture-independent semantics » with the Pro. Active Library. • Inherit methods and tools from existing software: Static analysis from Soot. Slicing / abstraction from Bandera. Standard or prototype checkers (action based) Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Distributed Java Applications: the Pro. Active Library • Features : distributed, mobile, heterogeneous. • Transparent distribution no shared data between distributed objects. • Message semantics (method calls + request queue) => delivery guarantied by the middleware (MOP). • Requests and responses : transparent future objects with “wait by necessity”. Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Pro. Active: Communication Scheme Local object Remote object f = RO. M (args); !Req (M, args, f) ? Req (M, args, f) 1: method call 2: request arriving in the queue V= Serv (M, args) 3: request served (executed and removed) 4: response send, then received !Rep (V, f) ? Rep (V, f) X = f. a ; Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Model: Parameterised Networks of synchronised LTSs • Actions = Requests/Responses (method name + finite abstraction of arguments) [st>0] ? Serve(stamp)-> st-! Req (Newstamps) • Finite Extended LTSs (integer variables) • Synchronisation Networks [Arnold 80] ? Rep (Newstamps, x) -> st+=x Stock(s) Global action < *, …, L 1, …, L 2, …, * • Concrete syntax : FC 2 intermediate language extended for encoding integer parameters Model Checking for Dependable Software-Intensive Systems Invoice(v, k) San-Francisco, june 21, 2003

Model Construction (1): Nets Q 1 + A 1 P(k) Q 3 + A 3 Req (M, args) Rep (v) Q 2 + A 2 • Finitely many active objects class / creation points • User provided approximation of arguments (abstract interpretation to finite or integer domains) => Boxes and Links computed by static analysis (dataflow, reference and alias analysis) Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Model Construction (2): Activities • 1 LTS per activity • Construction by SOS rules, based on the Method Call Graph of the active object. • Termination guarantied (for a finite data abstraction) => Rules and proofs in the full paper: http: //www-sop. inria. fr/oasis/Vercors Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Parameterised Verification Methods Source Code FC 2 Model Construction Finite Instantiation Classical Tools (bisimulation-based) Model Checkers Eq/Preorder Checkers FC 2 p Parameterised Specification : Parameterised networks / Parameterised logics Model Checking for Dependable Software-Intensive Systems Specialised Tools : Moped (PD Systems) TRex (Automata on reg. Struct. ) Harvey (constraint, eq. Theories) San-Francisco, june 21, 2003

Conclusion • Behaviour models of Pro. Active distributed applications encode asynchronous communication between distributed objects. • With usual data/structure abstraction, we build finite, hierarchical, models suitable for automatic verification. • Parameterised models can be finitely instantiated (adapted to each property), or directly fed into specialised tools. They are more compact and more flexible. • Case Study: Chilean electronic tax system Directions • Other Pro. Active features : group communication, security policy specification. • Behaviour specification for distributed components (in Object. Web / Fractal) Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003

Finite Model Generation for Distributed Java Programs Eric MADELAINE Rabea BOULIFA OASIS team INRIA Sophia-Antipolis, France http: //www-sop. inria. fr/oasis/Vercors http: //www-sop. inria. fr/oasis/Proactive Model Checking for Dependable Software-Intensive Systems San-Francisco, june 21, 2003