Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense...
Transcript of Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense...
![Page 1: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/1.jpg)
SupportUS Army Research Office (ARO)US National Science Foundation (NSF)US Department of Defense Advanced Research Projects Agency (DARPA)
BoeingHoneywell Technology CenterIBMIntel
SAnToS Laboratory, Kansas State University, USA
http://bogor.projects.cis.ksu.edu
Matthew B. DwyerJohn Hatcliff
Robby
Model-Checking JML Specifications with Bogor
Edwin Rodríguez http://spex.projects.cis.ksu.eduhttp://jmleclipse.projects.cis.ksu.eduhttp://bandera.projects.cis.ksu.edu
Lockheed Martin NASA LangleyRockwell-Collins ATCSun Microsystems
CASSIS 2004, Marseille, France
![Page 2: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/2.jpg)
Java Source
void add(Object o) { buffer[head] = o; head = (head+1)%size;}
Object take() { … tail=(tail+1)%size; return buffer[tail];}
CheckerInput
CheckerOutput
Optimization Control
Transformation &Abstraction Tools
Bogor
Specification
Eclipse Platform
Error Trace Mapping
Bandera
Slicing
AbstractInterpretation
Static Analysis
?
Bandera:An Open Toolset for Model Checking Concurrent Java Programs
![Page 3: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/3.jpg)
SpEx Project — Goals
specification languages should have a rich set of primitives for observing
program state heap-allocated objects, concurrency, etc.
make it easy to write useful specifications support lightweight and deep-semantic specifications
be checkable using a variety of analysis techniques
model checking, testing, etc.
We are investigating several languages JML (current focus), OCL, AAL, etc.
![Page 4: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/4.jpg)
JML Reasoning Tools and Technologies
Tool(technology
)
Automaton Usability
JML Coverage
Behavior Coverage
Scalability
LOOP fair (straight line code),
poor (otherwise)
very high complete (for sequential)
poor
ESC/Java good (annotations
usually needed)
low high (for sequential), moderate
(otherwise)
excellent (modular
treatment of methods)
ESC/Java2 good (annotations
usually needed)
moderate high (for sequential), moderate
(otherwise)
excellent (modular
treatment of methods)
JMLC excellent moderate low (determined
by test harness)
excellent
Bogor excellent very high moderate (determined
by test harness)
good (for unit-level
reasoning)other tools such as JACK,…
![Page 5: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/5.jpg)
JML Reasoning Tools and Technologies
Model Checking/TestingTheorem Proving
… m(…) { assume pre-conditions … … … … … … prove post-conditions}
… m(…) {
}
Environment
manipulate formulasmanipulate formulas
checking that specifications are satisfied for particular traces generated by theenvironment (test harness)
checking that specifications are satisfied for particular traces generated by theenvironment (test harness)
![Page 6: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/6.jpg)
Bogor
What is it? Why is it useful? What about its
existing algorithms suggests that it might be good for checking JML?
Questions…
![Page 7: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/7.jpg)
Bogor (Buitenzorg)
![Page 8: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/8.jpg)
Bogor – Software Model Checking Framework
![Page 9: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/9.jpg)
Bogor – Direct support for OO software
unbounded dynamic creation of threads and objects
automatic memory management (garbage collection)
virtual methods, … …, exceptions, etc. supports virtually all of Java
thread & heap symmetry compact state
representation partial order reduction
techniques driven by object escape analysis locking disciplines
Extensive support for checking concurrent OO software
Direct support for… Software targeted algorithms…
![Page 10: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/10.jpg)
Tool DevelopmentFramework
Bogor – Eclipse-based Tool Components
Architecture allows encapsulation/integration with other verification tools using IBM’s Eclipse Integrated Development Environment
CadenaCORBA Component Model verification
Next generation of
Bandera Java Model-checking Tool Set
SpExJML Verification, etc.
![Page 11: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/11.jpg)
Domain-Specific Model-Checking —Bogor Customized To Cadena
Bogor -- Extensible Modeling Language
Core Modeling Language
Threads,Objects,Methods,Exceptions, etc.
+Extensions
Sets
Queues
Tables
RT CORBAEvent Service
API Abstraction
Domain-specific Abstractions
+
Real-timeScheduling
Quasi-cyclicSearch
Partial StateRepresentation
Bogor -- Customizable Checking Engine ModulesSchedulingStrategy
State-spaceExploration
State-spaceRepresentation
Core Checker Modules Customized Checker Modules
…existing modules…
![Page 12: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/12.jpg)
Bogor Customized To Bandera
Bogor – Feature-rich Modeling Language
Core Modeling Language
Threads,Objects,Methods,Exceptions, etc.
Partial OrderReduction
Depth-first Search
Symm. Reduc.
&Compression
Bogor -- Customizable Checking Engine ModulesSchedulingStrategy
State-spaceExploration
StateRepresentation
Core Checker Modules Customized Checker Modules
…existing modules…
![Page 13: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/13.jpg)
Bogor’s Heap Representation
Key Points…
…explicit heap representationStateState
…transition may create new objects, garbage, etc.
HeapHeap
…garbage is eliminated
…precise heap model
…after each transition, a topological sort gives heap objects a canonical order
Canonical heapCanonical heap…sort walks over heap, canonicalizes, and collects info
…sort walks over heap, canonicalizes, and collects info
…precise alias information…have access to all visited states (but, efficiently stored using collapse compression)
![Page 14: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/14.jpg)
Bogor’s Heap Representation — Enables JML Specs Check
Key Points…
… many JML features are easy to support in Bogor
StateState
…transition may create new objects, garbage, etc.
HeapHeap
…can easily compare objects in methods pre/post-states (c.f., \old)
…precise alias information (c.f., \modifies)
Canonical heapCanonical heap…sort walks over heap, canonicalizes, and collects info
…sort walks over heap, canonicalizes, and collects info
…precise heap model (c.f., \reach)
![Page 15: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/15.jpg)
JML Language Coverage
large language coverage…
![Page 16: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/16.jpg)
Doug Lea’s LinkedQueue Examplepublic class LinkedNode { public Object value; public LinkedNode next;
public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final Object putLock; protected LinkedNode head; protected LinkedNode last = head; protected int waitingForTake = 0;
public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
public boolean isEmpty() { synchronized (head) { return head.next == null; } }
public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }}
protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) { last.next = p; last = p; } if (waitingForTake > 0) putLock.notify(); return; }}
public Object take() { Object x = extract(); if (x != null) return x; else …}
allows a high degree of concurrencyallows a high degree of concurrency
![Page 17: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/17.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
A state with two threads and a LinkedQueue objectA state with two threads and a LinkedQueue object
![Page 18: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/18.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
The red thread creates a new objectThe red thread creates a new object
![Page 19: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/19.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
put()
…and invokes put(), which invokes insert()…and invokes put(), which invokes insert()
![Page 20: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/20.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
put()
insert() acquires the lock on putLockinsert() acquires the lock on putLock
![Page 21: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/21.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
LN
p
valueput()
…and creates a new LinkedNode…and creates a new LinkedNode
![Page 22: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/22.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
LN
p
valueput()
…then it locks the LinkedNode pointed by last…then it locks the LinkedNode pointed by last
![Page 23: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/23.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
lastputLock
LN
p
nextvalue
put()
…and assigns new LinkedNode to last.next…and assigns new LinkedNode to last.next
![Page 24: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/24.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
p
nextvalue
put()
last is moved to point to the new LinkedNodelast is moved to point to the new LinkedNode
![Page 25: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/25.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
p
nextvalue
put()
the lock on head’s LinkedNode is releasedthe lock on head’s LinkedNode is released
![Page 26: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/26.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
nextvalue
put()
returning from insert(), the local p is now out of scopereturning from insert(), the local p is now out of scope
![Page 27: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/27.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
nextvalue
put()
and the lock on putLock’s object is releasedand the lock on putLock’s object is released
![Page 28: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/28.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
nextvalue
The red thread finishes executing the put() methodThe red thread finishes executing the put() method
![Page 29: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/29.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
nextvalue
and it removes the reference to the new object, done!and it removes the reference to the new object, done!
![Page 30: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/30.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
another object is addedanother object is added
![Page 31: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/31.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
take()
The blue thread invokes take(), which invokes extract()The blue thread invokes take(), which invokes extract()
![Page 32: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/32.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
take()
the LinkedQueue is lockedthe LinkedQueue is locked
![Page 33: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/33.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
take()
the head’s LinkedNode is also lockedthe head’s LinkedNode is also locked
![Page 34: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/34.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
take()
first
head.next is assigned to the local firsthead.next is assigned to the local first
![Page 35: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/35.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
take()
first
x
first.value is assigned to the local xfirst.value is assigned to the local x
![Page 36: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/36.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
next
LN
valuenext
take()
first
x
first.value is assigned nullfirst.value is assigned null
![Page 37: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/37.jpg)
Doug Lea’s LinkedQueue Example
LQ LN
head
last
putLock
LN
next
LN
valuenext
take()
first
x
head is moved to the next LinkedNodehead is moved to the next LinkedNode
![Page 38: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/38.jpg)
Doug Lea’s LinkedQueue Example
LQ
head
last
putLock
LN LN
valuenext
take()
x
the LinkedNode is GC’ed (after its lock released)the LinkedNode is GC’ed (after its lock released)
![Page 39: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/39.jpg)
Doug Lea’s LinkedQueue Example
LQ
putLock
x
LN
head
last
LN
nextvalue
the state after take() is finishedthe state after take() is finished
![Page 40: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/40.jpg)
Assessments — LinkedQueue
put() and take() can be done concurrently
if the size of the LinkedQueue is greater than 0 they use different locks to protect object
accesses put() synchronizes on putLock and last take() synchronizes on the LinkedQueue object and head
are mutually exclusive if the size is 0 synchronize on the same LinkedNode
head == last reasoning about them becomes very
complex
![Page 41: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/41.jpg)
JML & Concurrency Issues
Pre-/post-conditions check points in a concurrent setting
Functional and synchronization aspects difficulty when specifying methods
Model checking post-conditions with \old()
![Page 42: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/42.jpg)
LinkedQueue Example (JML)
public class LinkedNode { public Object value; public LinkedNode next;
/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }
/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }
/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } }
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/ protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }
/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/ protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } } }
![Page 43: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/43.jpg)
public class LinkedNode { public Object value; public LinkedNode next;
/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }
/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }
/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } }
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/ protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }
/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/ protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } } }
LinkedQueue Example (JML)
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last); …
![Page 44: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/44.jpg)
public class LinkedNode { public Object value; public LinkedNode next;
/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }
/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }
/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } }
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/ protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }
/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/ protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } } }
LinkedQueue Example (JML)
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null);}
![Page 45: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/45.jpg)
public class LinkedNode { public Object value; public LinkedNode next;
/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }
/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }
/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } }
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/ protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }
/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/ protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } } }
LinkedQueue Example (JML)
/*@ behavior @ ensures \result <==> head.next == null; @*/public boolean isEmpty() { synchronized (head) { return head.next == null; }}
![Page 46: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/46.jpg)
Pre/Post-Conditions
jmlc generates a wrapper method for each annotated method
jmlc generates a wrapper method for each annotated method
Figure 4.3, “A Runtime Assertion Checker for the Java Modeling Language”, Y. Cheon
![Page 47: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/47.jpg)
Pre/Post-Conditions
check invariants and method preconditions
check invariants and method preconditions
Figure 4.3, “A Runtime Assertion Checker for the Java Modeling Language”, Y. Cheon
![Page 48: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/48.jpg)
Pre/Post-Conditions
call original methodcall original method
Figure 4.3, “A Runtime Assertion Checker for the Java Modeling Language”, Y. Cheon
![Page 49: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/49.jpg)
Pre/Post-Conditions
check post-conditionscheck post-conditions
Figure 4.3, “A Runtime Assertion Checker for the Java Modeling Language”, Y. Cheon
![Page 50: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/50.jpg)
Pre/Post-Conditions/*@ behavior @ ensures \result <==> head.next == null; @*/public boolean isEmpty() { synchronized (head) { return head.next == null; }}
public boolean isEmpty() {
…
boolean rac$result;
…
rac$result = orig$isEmpty();
checkPost$isEmpty$LinkedQueue(rac$result);
return rac$result;
…
}
At this point a thread can interleave and insert an object in the LinkedQueue;so there actually exists an execution race where the post-condition is violated.
At this point a thread can interleave and insert an object in the LinkedQueue;so there actually exists an execution race where the post-condition is violated.
![Page 51: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/51.jpg)
Pre/Post-Conditions/*@ behavior @ ensures \result <==> head.next == null; @*/public boolean isEmpty() { synchronized (head) { return head.next == null; }}
public boolean isEmpty() {
…
boolean rac$result;
…
rac$result = orig$isEmpty();
checkPost$isEmpty$LinkedQueue(rac$result);
return rac$result;
…
}
In general, a thread can interfere before or during the post-conditions check.
In general, a thread can interfere before or during the post-conditions check.
![Page 52: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/52.jpg)
Pre/Post-Conditions/*@ behavior @ ensures \result <==> head.next == null; @*/public boolean isEmpty() { synchronized (head) { return head.next == null; }}
public boolean isEmpty() {
…
boolean rac$result;
…
rac$result = orig$isEmpty();
checkPost$isEmpty$LinkedQueue(rac$result);
return rac$result;
…
}
Thus, we need to prevent the interleaving by aggregating the return transition with the post-condition transitions.
Thus, we need to prevent the interleaving by aggregating the return transition with the post-condition transitions.
![Page 53: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/53.jpg)
Assessments — Pre/Post-conditions
granularity of execution/checking steps must be controlled easy to do in a model checker
using similar construct such as Promela’s atomic
needs to modify JVM for testing the scheduler must prevent context-
switching when evaluating code from specifications
![Page 54: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/54.jpg)
JML & Concurrency Issues
Pre-/post-conditions check points in a concurrent setting
Functional and synchronization aspects difficulty when specifying methods
Model checking post-conditions with \old()
![Page 55: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/55.jpg)
public class LinkedNode { public Object value; public LinkedNode next;
/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }
/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }
/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); } }
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/ protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }
/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/ protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; } } }
Functional andSynchronization Aspects
public Object take() { Object x = extract(); if (x != null) return x; else … // wait}
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }}
does not work, why?does not work, why?
![Page 56: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/56.jpg)
Functional andSynchronization Aspects
LQ LN
head
lastputLock
A state with two threads and a LinkedQueue objectA state with two threads and a LinkedQueue object
![Page 57: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/57.jpg)
Functional andSynchronization Aspects
LQ LN
head
lastputLock
The blue thread invokes take(), which invokes extract().Note that the pre-state for take() is an empty LinkedQueue.The blue thread invokes take(), which invokes extract().Note that the pre-state for take() is an empty LinkedQueue.
take()
![Page 58: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/58.jpg)
Functional andSynchronization Aspects
LQ LN
head
lastputLock
The red thread interleaves and put() an objectThe red thread interleaves and put() an object
take()
put()
![Page 59: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/59.jpg)
Functional andSynchronization Aspects
LQ LN
head
putLock
The red thread interleaves and put() an objectThe red thread interleaves and put() an object
take() LN
head
last
LN
nextvalue
![Page 60: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/60.jpg)
Functional andSynchronization Aspects
LQ
putLock
x
head
The blue thread successfully take() the objectThe blue thread successfully take() the object
LN
last
take()
![Page 61: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/61.jpg)
Functional andSynchronization Aspects
LQ
putLock
x
head
but the post-condition is violated since the pre-state is an empty LinkedQueue!but the post-condition is violated since the pre-state is an empty LinkedQueue!
LN
last
take()
public Object take() { Object x = extract(); if (x != null) return x; else … // wait}
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected synchronized Object extract() { synchronized (head) { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x; }}
functional propertyfunctional property
![Page 62: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/62.jpg)
Functional and Synchronization Aspects
public class LinkedNode { public Object value; public LinkedNode next;
/*@ behavior @ ensures value == x; @*/ public LinkedNode(Object x) { value = x; }}
public class LinkedQueue { protected final /*@ non_null @*/ Object putLock; protected /*@ non_null @*/ LinkedNode head; protected /*@ non_null @*/ LinkedNode last = head; protected int waitingForTake = 0;
//@ instance invariant waitingForTake >= 0; //@ instance invariant \reach(head).has(last);
/*@ behavior @ assignable head, last, putLock, waitingForTake; @ ensures \fresh(head, putLock) && head.next == null; @*/ public LinkedQueue() { putLock = new Object(); head = new LinkedNode(null); }
/*@ behavior @ ensures \result <==> head.next == null; @*/ public boolean isEmpty() { synchronized (head) { return head.next == null; } }
/*@ behavior @ requires n != null; @ assignable last, last.next; @*/ protected void refactoredInsert(LinkedNode n) { last.next = n; last = n; }
/*@ behavior @ requires x != null; @ ensures true; @ also behavior @ requires x == null; @ signals (Exception e) e instanceof IllegalArgumentException; @*/public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x);}
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); }}
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x;}
/*@ behavior @ requires x != null; @ ensures last.value == x && \fresh(last); @*/protected void insert(Object x) { synchronized (putLock) { LinkedNode p = new LinkedNode(x); synchronized (last) refactoredInsert(p); if (waitingForTake > 0) putLock.notify(); return; }}
protected synchronized Object extract() { synchronized (head) { return refactoredExtract(); }}
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x;}
![Page 63: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/63.jpg)
Assessments — Functional and Synchronization Aspects
when specifying properties of concurrent programs separate functional properties from
synchronization aspects e.g., region of code after lock acquires
if not, we often end up with weaker properties a tool support for checking specifications is
valuable for “debugging” specifications model checking is good for catching subtle
issues in concurrent programs or their properties
![Page 64: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/64.jpg)
JML & Concurrency Issues
Pre-/post-conditions check points in a concurrent setting
Functional and synchronization aspects difficulty when specifying methods
Model checking post-conditions with \old()
![Page 65: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/65.jpg)
Post-conditions with \old
… m(…) {
}
“good” pre-state“good” pre-state
passed post-conditionspassed post-conditions
“bad” pre-state“bad” pre-state
the state has beenseen before, thus,the model checkerbacktracks withoutchecking post-conditions
the state has beenseen before, thus,the model checkerbacktracks withoutchecking post-conditions
Backtracking can causeMC to miss some errorsBacktracking can causeMC to miss some errors
![Page 66: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/66.jpg)
Post-conditions with \oldclass Race extends Thread { static int x;
public void run() { loc1 : x = 0; loc2 : foo(); }
/*@ ensures @ \old(x) == 0; @*/ void foo() { loc3 : x = 1; loc4 : return; }}
Backtracking can causeMC to miss some errorsBacktracking can causeMC to miss some errors
![Page 67: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/67.jpg)
Post-conditions with \old/*@ behavior @ ensures … \old(e) …; @*/public void foo() { …}
public void foo() { old$rac = e; …}
Works for primitive types, but not for objects
Works for primitive types, but not for objects
![Page 68: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/68.jpg)
Post-conditions with \old/*@ behavior @ ensures … \old(e) …; @*/public void foo() { …}
public void foo() { int tmp = Bogor.collapseState(e); …}
If e is a reference type, then record all reachable objects from e
If e is a reference type, then record all reachable objects from e
![Page 69: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/69.jpg)
Post-conditions with \old/*@ behavior @ ensures … \old(e) …; @*/public void foo() { …}
public void foo() { int tmp = Bogor.collapseState(e); …}
Returns a unique integerrepresenting the canonicalreachable heap
Returns a unique integerrepresenting the canonicalreachable heap
![Page 70: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/70.jpg)
/*@ behavior @ assignable head, head.next.value; @ ensures \result == null @ || (\exists LinkedNode n; @ \old(\reach(head)).has(n); @ n.value == \result @ && !(\reach(head).has(n))); @*/protected Object refactoredExtract() { Object x = null; LinkedNode first = head.next; if (first != null) { x = first.value; first.value = null; head = first; } return x;}
Post-conditions with \old
LQ LN
head
last
putLock
LN
valuenext
LN
valuenext
take()
uses set symmetry andcollapse compression for efficiency
uses set symmetry andcollapse compression for efficiency
more optimizations are possiblemore optimizations are possible
![Page 71: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/71.jpg)
Assessments —Post-conditions with \old
Backtracking can cause a model checker to miss some errors when checking post-conditions with \old
Needs to distinguish pre-states to avoid backtracking too early uses heap symmetry to reduce the number of
distinguishable (observationally inequivalent) pre-states
uses collapse compression to reduce memory consumptions for encoding the pre-states
can be optimized further by using a static analysis to detect relevant heap objects (analogous to slicing)
![Page 72: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/72.jpg)
Preliminary Results
w/ JML w/o JML
Test PlatformJDK 1.4.1 (32-bit mode) on a 2 GHz Opteron with maximumheap of 1 GB running Linux (64-bit mode)
![Page 73: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/73.jpg)
Bogor’s Reduction Algorithms — Enables Checking JML Specs
Indicates little overhead compared with simply exploring the state-space
Indicates little overhead compared with simply exploring the state-space
w/ JML w/o JMLw/ JML w/o JMLw/ POR w/o POR
![Page 74: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/74.jpg)
JMLEclipse
JML annotatedJava source
/*@ behavior @ requires x != null; @ ensures true; @also @ behavior @ requires x == null; @ signals (Exception e) e instanceof @ IllegalArgumentException; @*/ public void put(Object x) { if (x == null) throw new IllegalArgumentException(); insert(x); }
JML well-formednesschecker
jmlc
othertool
![Page 75: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/75.jpg)
JMLEclipse
JML syntax highlightingJML syntax highlighting
JML well-formedness checkingJML well-formedness checking
![Page 76: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/76.jpg)
Conclusion There have been many tools for checking JML
specifications Bogor flexible model checking framework can be used to
check “strong” specifications Complete control over the model checker representations and
algorithms hard to do it with Spin, but it can be done in JPF
Highly-automated for unit-sized concurrent Java programs requires effective reductions to help curb specification
checking overhead complements other JML checking methods
checking a different class of properties Issues in JML support for concurrency
Pre-/post-conditions check points in a concurrent setting
Functional and synchronization aspects difficulty when specifying methods
Checking \old() using model checking
![Page 77: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/77.jpg)
Future Work
propose specifications for concurrencyin JML (w/ Cormac Flanagan) thread-locality method-locality lock-protected pre-/post-conditions on code regions atomicity, etc.
JMLEclipse as an open ended JML plugin for Eclipse
other specification formalisms
![Page 78: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/78.jpg)
Bogor Tutorial at ETAPS 2004
Barcelona, Spain April 3, half-day, afternoon Topics
Adapting Bogor to a particular domain Extending the Bogor modeling language
add new abstract data types add new abstract operations
Extending the Bogor model checking algorithms
![Page 79: Support US Army Research Office (ARO) US National Science Foundation (NSF) US Department of Defense Advanced Research Projects Agency (DARPA) Boeing Honeywell.](https://reader035.fdocuments.in/reader035/viewer/2022062304/56649e9f5503460f94ba1135/html5/thumbnails/79.jpg)
For More Information…
http://jmleclipse.projects.cis.ksu.edu
http://bogor.projects.cis.ksu.edu
SAnToS Laboratory, Kansas State Universityhttp://www.cis.ksu.edu/santos
Bogor Project
JMLEclipse Project
http://bandera.projects.cis.ksu.eduBandera Project
http://spex.projects.cis.ksu.eduSpEx Project