Specifying Temporal Properties of Software Using the Bandera
Specifying Temporal Properties of Software Using the Bandera Specification Language James Corbett Matthew Dwyer John Hatcliff Robby [U. Hawaii] [Kansas State] http: //www. cis. ksu. edu/santos/bandera
Bandera: An open tool set for model-checking Java source code Graphical User Interface Optimization Control ? Temporal Specification void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Java Source Checker Inputs Slicing Abstract Interpretation Static Analysis Model Checkers Transformation & Abstraction Tools Error Trace Mapping Bandera Checker Outputs
Property Specification Problem l Difficult to formalize a requirement in temporal logic “Between the key being inserted and the key being removed, the ignition can be activated at most twice. ” …is rendered in LTL as. . . []((key. In / <>key. Rem) -> ((!activate / !key. Rem) U (key. Rem / ((activate / !key. Rem) U (key. Rem / (!activate U key. Rem)))))
Issue: Checker Dependence Graphical User Interface mismatch! LTL CSP Checker Inputs Spin SMV FDR Model Checkers LTL Temporal Specification void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Transformation & Abstraction Tools Java Source Bandera
Issue: Representation Dependence l Source’s representation Heap. b. head == Heap. b. tail l Model’s representation (((_collect(heap_b) == 1) && (Bounded. Buffer_col. instance[_index(heap _b)]. head == Bounded. Buffer_col. instance[_index(heap _b)]. tail) ) || ((_collect(heap _b) == 3) && (Bounded. Buffer_col_0. instance[_index(heap _b)]. head == Bounded. Buffer_col_0. instance[_index(heap _b)]. tail) ) || ((_collect(heap _b) == 0) && TRAP))
Issue: Naming Heap-allocated Objects Consider multiple instances of a bounded buffer class. . . Requirement: If a buffer instance becomes full, it will eventually become non-full. In general, a heap object has no program-level name that persists throughout the lifetime of the object. b 1 b 2 b 3 Variables Heap object
BSL: Bandera Specification Language Propositions stated in terms of source code features l Temporal relationships are expressed using field-tested specification patterns l Heap objects are named via object quantification l Quantification Temporal Property Specification (via pattern language) Assertion Property Specification (selective enabling) Predicate Definition Assertion Definition
![Bounded Buffer class Bounded. Buffer { Object [] buffer; int head; /* next available](http://slidetodoc.com/presentation_image/3f3ba0117bf09387114eb6add615da1f/image-8.jpg "Bounded Buffer class Bounded. Buffer { Object [] buffer; int head; /* next available")
Bounded Buffer class Bounded. Buffer { Object [] buffer; int head; /* next available slot */ int tail; /* last available slot */ int bound; /* max # of elements */ public Bounded. Buffer(int b) {…} Initialization head tail Add, Add head tail public synchronized boolean is. Empty() {…} public synchronized void add(Object o) {…} public synchronized Object take () {…} } Add, Take tail head
Bounded Buffer public synchronized void add(Object o) { while ( tail == head ) try { wait(); } catch (Interrupted. Exception ex) {} buffer_[head] = o; head = (head+1) % bound; notify. All(); } public synchronized Object take() { while (head == ((tail+1) % bound)) try { wait(); } catch (Interrupted. Exception ex) {} tail = (tail+1) % bound; notify. All(); return buffer_[tail]; } Initialization head tail Add, Add head tail Add, Take tail head
Bounded Buffer Properties l Buffers l Full are constructed with positive bounds buffers eventually become non-full l Empty buffers must be added to before being taken from l Indices always stay in range l Elements position are always added in correct
Reminder --- Language Structure Quantification Temporal Property Specification (via pattern language) Assertion Property Specification (selective enabling) Predicate Definition Assertion Definition
Assertion Forms l Pre-conditions @assert PRE <name> <exp>; l Post-conditions @assert POST <name> <exp>; l Arbitrary Locations class My. Class { int count = 0; … … /** * @assert * PRE foo: (I > 5); * POST bar: (count > 10); * LOCATION[here] checka: * (m. q. a == 4); */ public mymethod(int I) { … … here: … … } } @assert LOCATION[<label>] <name> <exp>;
Assertion Checking /** * @assert * PRE Positive. Bound: * (b > 0); */ public Bounded. Buffer(int b) { bound = b; buffer = new Object[bound]; head = 0; tail = bound-1; } Requirement: Buffers are constructed with positive bounds Bandera Specification: Positive. Bound: enable assertions {Positive. Bound};
![Predicate Forms l Static/Instance Data Constraints @observable [static] EXP <name> <exp>; l Invocation @observable](http://slidetodoc.com/presentation_image/3f3ba0117bf09387114eb6add615da1f/image-14.jpg "Predicate Forms l Static/Instance Data Constraints @observable [static] EXP <name> <exp>; l Invocation @observable")
Predicate Forms l Static/Instance Data Constraints @observable [static] EXP <name> <exp>; l Invocation @observable INVOKE <name> <exp>; l Return @observable RETURN <name> <exp>; l Arbitrary Locations @observable LOCATION[<label>] <name> <exp>;
Pattern Hierarchy (Dwyer, Avrunin, Corbett, ICSE’ 99) Property Patterns Occurrence Absence Universality Bounded Existence Order Precedence Response Classification l Occurrence Patterns: – require states/events to occur or not to occur l Order Patterns – constrain the order of states/events Chain Precedence Chain Response
Property Specification /** * @observable * EXP Full: (head == tail); */ class Bounded. Buffer { Object [] buffer; int head, tail, bound; public synchronized void add(Object o) {…} public synchronized Object take () {…} } Requirement: If a buffer becomes full, it will eventually become non-full. Bandera Specification: Full. To. Non. Full: forall[b: Bounded. Buffer]. {!Full(b)} responds to {Full(b)} globally;
Property Specification /** * @observable * EXP Empty: * head == ((tail+1) % bound); */ class Bounded. Buffer { int head, tail, bound; /** * @observable INVOKE Call; */ public synchronized void add(Object o) {…} /** * @observable RETURN Return; */ public synchronized Object take () {…} } Requirement: Empty buffers must added to before being taken from Bandera Specification: No. Take. While. Empty: forall[b: Bounded. Buffer]. {take. Return(b)} is absent after {Empty(b)} until {add. Call(b)};
![Quantification forall[b: Bounded. Buffer]. P(b) l Quantified set (set of Bounded Buffers) is not](http://slidetodoc.com/presentation_image/3f3ba0117bf09387114eb6add615da1f/image-18.jpg "Quantification forall[b: Bounded. Buffer]. P(b) l Quantified set (set of Bounded Buffers) is not")
Quantification forall[b: Bounded. Buffer]. P(b) l Quantified set (set of Bounded Buffers) is not fixed! – varies within executions – varies across executions l Solution – by adding a state variable (for b) that will eventually be bound non-deterministically to each instance – by enabling checking of the formula only when variable is bound to an instance
![Quantification (Cont’d) (!selected U (selected && && P(b))) || []!selected [1] new Bounded. Buffer(n)](http://slidetodoc.com/presentation_image/3f3ba0117bf09387114eb6add615da1f/image-19.jpg "Quantification (Cont’d) (!selected U (selected && && P(b))) || []!selected [1] new Bounded. Buffer(n)")
Quantification (Cont’d) (!selected U (selected && && P(b))) || []!selected [1] new Bounded. Buffer(n) [1] selected [2] new Bounded. Buffer(m) [1] selected [3] new Bounded. Buffer(k) !selected [2] selected !selected new Bounded. Buffer(k) [1] selected [2] selected [3] selected !selected
Quantification (Cont’d) class heap { public static Bounded. Buffer b; } class Bounded. Buffer { Object [] buffer; int head, tail, bound; public Bounded. Buffer(int n) {. . . if (heap. b == null && Bandera. choose()) { heap. b = this; } } public Bounded. Buffer(int n) {. . . } } }
![Quantification (Cont’d) forall[b: Bounded. Buffer]. {Full(b)} leads to {!Full(b)} globally; (heap. b == null](http://slidetodoc.com/presentation_image/3f3ba0117bf09387114eb6add615da1f/image-21.jpg "Quantification (Cont’d) forall[b: Bounded. Buffer]. {Full(b)} leads to {!Full(b)} globally; (heap. b == null")
Quantification (Cont’d) forall[b: Bounded. Buffer]. {Full(b)} leads to {!Full(b)} globally; (heap. b == null U (heap. b != null && ([](heap. b. head == heap. b. tail) -> <>(heap. b. head != heap. b. tail)))) || [](heap. b == null)
Next Steps: Avionics Domain l Case studies of avionics code leading to domain-specific patterns – Working with Rockwell-Collins ATC as they developing FAA coding guidelines for using OO in avionics platforms (supplement to DO-178 B) – Contains various restrictions on patterns of use – Ultimately, use model-checking results as evidence to help justify FAA certification
Next Steps: Richer Specifications Integration of BSL with the Java Modeling Language (JML) developed by Gary Leavens at Iowa State. l JML is also used as the specification language for… l – ESC/Java (Compac) – LOOP (Bart Jacobs) • Compiles Java to PVS theories for complete verification of source code. l In the long term, we’re interested in other forms of verification.
Next Steps: Real-time Specifications l Including notions of time in patterns <Read. Sensor> responds to <Sensor. Input> within at most <K> globally …where <K> is some number of time units
Next Steps: Other Specification Forms l Compiling UML statecharts into Bandera’s intermediate representation – Support specification of source code properties via hierarchical state machines – Incorporate refinement checking at various levels. …inspiration from Rajeev Alur et. al.
For more details… http: //www. cis. ksu. edu/santos/bandera Public release of the tool set l Tutorial with repository of simple examples l Tutorial lecture slides l Pattern web pages l
- Slides: 26
