Reasoning About Exceptions Using Model Checking Reid Simmons
Reasoning About Exceptions Using Model Checking Reid Simmons David Garlan Jeannette M. Wing George Fairbanks, Gil Tolle, Balaji Sarpeshkar, Joe Jiang Computer Science Department Carnegie Mellon University Pittsburgh, PA Exceptions and Model Checking May 1, 2003
Outline • Why Model Check Exceptions? • Approach – – IEL MOPED Translations “Gotchas” • Example – Vending Machine Exceptions and Model Checking 2 May 1, 2003
Exceptions in Programming Languages • Raising Exceptions – Throw of named/typed exceptions – Catch by nearest matching handler – Exceptions may form inheritance hierarchy • “Clean up” Construct – Finally / Unwind-protect – Executed in both nominal and exceptional situations • Semantics – Termination (C++, Java, Lisp) – Resumption (Mesa, Eiffel, TDL) Exceptions and Model Checking 3 May 1, 2003
Why Hard? • Non-Local Flow of Control • Context of “Catch” Frames Determined Dynamically • “Clean Up” Construct Adds Additional Pathways • Hard to Reason About All Possible Execution Paths • Impossible To Do So Purely Locally Exceptions and Model Checking 4 May 1, 2003
Overview of Our Approach Source IEL Code MOPED Counter Specifications Exceptions and Model Checking Example 5 May 1, 2003
Intermediate Exception Language (IEL) • Captures Commonalities of Exception Handling Among Different Languages • Focuses on Control-Flow Constructs Relevant to Reasoning About Exceptions – – – Catch/Throw/Finally Iteration and Conditionals Break and Return Assignment Procedures Hierarchical Exceptions • Minimal Data Representation – No value-returning functions Exceptions and Model Checking 6 May 1, 2003
IEL Example: Resource Locking var locked: int exception e 1 procedure main () { locked : = 0 while true { try { lock() random. Exception() unlock() } catch e 1 { /* unlock() */ } } } Exceptions and Model Checking procedure lock () { if locked = 1 then error() if locked = 0 then locked : = 1 } procedure random. Exception () { if (p) throw e 1 } 7 May 1, 2003
MOPED • Model Checker for Push-Down Automata – – Stefan Schwoon’s Ph. D Thesis Symbolic Model Checker Handles Procedures with Local Variables Need to Explicitly Handle Frame Axioms • Verifies LTL State Reachability Formulae – Currently cannot handle LTL formulae involving variables • Minimal Data Representation Exceptions and Model Checking 8 May 1, 2003
Translating IEL MOPED • Create Local Translation Rules for Each IEL Construct • Assign ( x : = y) • Conditional ( if p then stmt) • Throw ( throw ex) • Try/Catch ( try { tryblock } catch ex { catchblock}) q <proc. N> --> q <proc. N+1> (x’ = y & frame. All. Except(x)) q <proc. N> --> q <proc. N+1> “if true” (p = 1 & frame. All) q <proc. N> --> q <proc. N’> “if false” (p = 0 & frame. All) …stmt… q<proc. N’> … q <proc. N> --> q <proc. Ex> (ex’ = 1 & …) q <proc. N> --> q<proc. Try> “jump past catch” (frame. All) q <proc. Ex> --> q<proc. Catch> “caught ex” (ex = 1 & …) q <proc. Ex> --> q<proc. N> “didn’t catch ex” (ex = 0 & …) …catch. Block translation… …try. Block translation… q <proc. N> … Exceptions and Model Checking 9 May 1, 2003
“Gotchas” • Exception Hierarchy • (Nested) Finally Blocks • Break and Return Statements Exceptions and Model Checking 10 May 1, 2003
Modeling Exception Hierarchy exception e 0 exception e 1 extends e 0 try { throw e 1 } catch e 0 {} • Preprocess IEL Code to Determine Hierarchy • “Throw” Explicitly Sets Exception and All Its Parents q <proc. N> --> q <proc. Ex> (e 1’ = 1 & e 0’ = 1 & …) • Matching “Catch” Clears All Exceptions q <proc. N> --> q <proc. N+1> (e 0’ = 0 & e 1’ = 0 & e 2’ = 0 & …) Exceptions and Model Checking 11 May 1, 2003
Modeling Finally Blocks try { if q then throw e 1 } finally { try { if p then throw e 2 } catch e 1 { x : = x / 0 } x : = x + 1 } • Store State of Exceptions Upon Entering Finally Block • Clear All Exceptions Before Executing Finally Block • Restore Exception State at End of Finally Block, Unless a New Exception Was Raised Exceptions and Model Checking 12 May 1, 2003
Modeling Nested Finally Blocks NL = 0; EL = -1 try { throw e 1 NL = 1 EL = 0 } finally { try { if p then throw e 2 NL = 2 EL = 1/0 } finally { x : = x + 1 NL = 1 } x : = x + 1 } NL = 0 try { throw e 1 } finally { try { throw e 2 } catch e 2 { } finally { } x : = x + 1 } • Store State of Exceptions Upon Entering Finally • • Plus Keep Track of “nesting level” and “exception level” Increment “nesting level” on Entering, and Decrement on Exit Clear All Exceptions Before Executing Finally Block Before Entering Finally Block with an Exception, Set “exception level” to “nesting level” Propagate Exception on Exit if “exception level” equals “nesting level” Exceptions and Model Checking 13 May 1, 2003
Modeling Break and Return Statements • “Break” and “Return” Interact in Interesting Ways with Exceptions and Finally Blocks while (x < 5) { try { if x=3 then { try { throw e 1 break } finally { try { throw e 1 break Approach: Treat “Break” and “Return” as Exceptions finally that}{ do not Propagate!! }{ finally Exceptions and Model Checking x : = x *5 14 x : = x *5 May 1, 2003
Example: Vending Machine • Model of Vending Machine – Machine vends product, if it has that product in stock and sufficient $$ put in – Represented by Java program that has significant exceptions – From TSE article by Sinha & Harrold • Verify that if Money is Put in the Machine, Eventually it will either Return Money or Vend Product – Static analysis is insufficient – Hand-coded IEL program from Java source; Automated IEL MOPED translation – Found bug in the program (could keep on adding money indefinitely – no limit) Exceptions and Model Checking 15 May 1, 2003
Ongoing and Future Work • Translating Java IEL – Work in Progress – Parser and Most of Translator Exist – Main Difficulty in Dealing with Objects • Complex data structures, Inheritance, Dynamic memory allocation • Add Specification Language to IEL • Translate Other Languages (C++, Lisp) • Model Resumption Model of Exceptions • Test on Software with Significant Exceptions and Model Checking 16 May 1, 2003
- Slides: 16