Predicate Abstraction of Java Programs with Collections. Pavel Parízek, Ondřej Lhoták

Size: px

Start display at page:

Download "Predicate Abstraction of Java Programs with Collections. Pavel Parízek, Ondřej Lhoták"

Alisha Booth
6 years ago
Views:

1 Predicate Abstraction of Java Programs with Collections Pavel Parízek, Ondřej Lhoták

2 Predicate abstraction void main() { int i = 0; int x = 1; while (i < 1) { x += i; i++; assert(x > 0); Predicates P_xle0: x <= 0 P_ilt0: i < 0 void main() { bool P_ilt0 = false; bool P_xle0 = false; while (*) { // x += i; if (P_xle0 && P_ilt0) P_xle0 = true; else if (!P_xle0 &&!P_ilt0) P_xle0 = false; else P_xle0 = *; // i++; P_ilt0 = P_ilt0? * : false; if (P_xle0) ERROR; [T. Ball et al. PLDI 2001] [T. Ball et al. EuroSys 2006]

3 Our work: Java programs with collections id2thread.put(1, new ThreadInfo(1,5)); id2thread.put(2, new ThreadInfo(2,18)); id2thread.put(3, new ThreadInfo(3,10)); active.add(2); active.add(3); List<Integer> schedule = new LinkedList(); Iterator<Integer> actit = active.iterator(); while (actit.hasnext()) { int actid = actit.next(); ThreadInfo actth = id2thread.get(actid); for (int i = 0; i < schedule.size(); i++) { int schid = schedule.get(i); ThreadInfo schth = id2thread.get(schid); if (actth.priority > schth.priority) { schedule.add(i, actid); break;

4 Running example: properties id2thread.put(1, new ThreadInfo(1,5)); id2thread.put(2, new ThreadInfo(2,18)); id2thread.put(3, new ThreadInfo(3,10)); active.add(2); active.add(3); List<Integer> schedule = new LinkedList(); Iterator<Integer> actit = active.iterator(); while (actit.hasnext()) { int actid = actit.next(); ThreadInfo actth = id2thread.get(actid); for (int i = 0; i < schedule.size(); i++) { int schid = schedule.get(i); ThreadInfo schth = id2thread.get(schid); if (actth.priority > schth.priority) { schedule.add(i, actid); break; actth!= null schth!= null

5 Running example: properties id2thread.put(1, new ThreadInfo(1,5)); id2thread.put(2, new ThreadInfo(2,18)); id2thread.put(3, new ThreadInfo(3,10)); active.add(2); active.add(3); List<Integer> schedule = new LinkedList(); Iterator<Integer> actit = active.iterator(); while (actit.hasnext()) { int actid = actit.next(); ThreadInfo actth = id2thread.get(actid); ( id active (id, th) id2thread) actth!= null for (int i = 0; i < schedule.size(); i++) { int schid = schedule.get(i); ThreadInfo schth = id2thread.get(schid); if (actth.priority > schth.priority) { schedule.add(i, actid); break;

6 Contribution Predicate language for modeling collection state at the interface level Modeling Java collections with abstract maps Weakest preconditions that capture state changes Optimizations for constructing abstract programs

7 Java collections Views over maps (keys, values) Nested collections (multiple levels) Lists: bounds on index parameters Aliasing between elements Field accesses on stored objects for (String s : m.keyset()) print(s); m.put(2, new LinkedList()); if (i < ll.size()) String s = ll.get(i); s = abc ; set1.add(s); set2.add(s); Data d = m.get( abc ); print(d.count);

8 Abstract maps Map get size containskey containsvalue findkey put putahead remove clear createiterator keysview valuesview Iterator hasmore getcurrent movenext

9 From Java collections to abstract maps Java Our approach Map directly modeled Set<T> map<t, boolean> List<T> map<integer, T>

10 Predicate language id2thread.put(1, new ThreadInfo(1,5)); id2thread.put(2, new ThreadInfo(2,18)); id2thread.put(3, new ThreadInfo(3,10)); active.add(2); active.add(3); mget(map, active, 2) = true List<Integer> schedule = new LinkedList(); Iterator<Integer> actit = active.iterator(); while (actit.hasnext()) { int actid = actit.next(); ThreadInfo actth = id2thread.get(actid); for (int i = 0; i < schedule.size(); i++) { int schid = schedule.get(i); ThreadInfo schth = id2thread.get(schid); morder(mit, active, 3, actit) morder(mit, active, actit, ) msize(msz, schedule) = 0 if (actth.priority > schth.priority) { schedule.add(i, actid); break; mget(map, id2thread, 1) = fread(priority, mget(map, id2thread, 1)) = 5

11 Weakest preconditions Statement Predicate WP(s,p) r = m.get(k) r = e m.put(k,v) mget(map,m,k ) = v it.next() morder(mit,m,it, ) q m : q m = m e = mget(map,q m,k) mget(mupdate(map,m,k,v), m,k ) = v q k : morder(mit,m,it,q k ) morder(mit,m,q k, )

12 Constructing abstract programs id2thread.put(1, new ThreadInfo(1,5)); id2thread.put(2, new ThreadInfo(2,18)); id2thread.put(3, new ThreadInfo(3,10)); active.add(2); active.add(3); List<Integer> schedule = new LinkedList(); Iterator<Integer> actit = active.iterator(); while (actit.hasnext()) { int actid = actit.next(); ThreadInfo actth = id2thread.get(actid); // mget(map,id2thread,1)!= boolean bv1 = false; // mget(map,active,2) = true boolean bv2 = false; // actth = null boolean bv3 = true; for (int i = 0; i < schedule.size(); i++) { int schid = schedule.get(i); ThreadInfo schth = id2thread.get(schid); if (actth.priority > schth.priority) { schedule.add(i, actid); break;... // statement: active.add(2) atomic { bv2 = true;... while (...) { // statement: actth = id2thread.get(actid) if (bv1 &&...) bv3 = false; mget(map, id2thread, 1)!= mget(map, active, 2 = true actth = null // many other predicates // property check if (bv3) assert false : "actth == null";...

13 Algorithm foreach stmt method do foreach up predicatesupdatedby(stmt) do wp = weakestprecondition(stmt, up); inpreds = influencingpredicates(stmt, up, wp); foreach cb cubes(inpreds) do newpredvalue <- callsmt( cb wp ); generateoutputcode(up, cb, newpredvalue); // code: if (cb) up = newpredvalue end for end for end for

14 Optimizations Selecting relevant predicates Statement: id2thread.put(1, new ThreadInfo) Updated predicate: mget(map,id2thread,1) = Conflicting literals Example: mget(map,id2thread,1) = mget(map,id2thread,1) = actth Example: morder(mit,active,2, ) morder(mit,active,3, )

15 J2BP Java program WALA J2BP Yices ASM abstract program JPF Web:

16 Benchmarks Programs created by Dillig et al. [POPL 2011] Examples from our paper Size: lines of Java code Properties: equal lists, valid content of nested sets, list elements not aliased, correct size of nested lists,...

17 Results Program Predicates J2BP time SMT calls List copy s 2086 Map copy s 1114 Reverse map s 3854 Set of map keys s 312 Map of lists s List of sets s Multimap s 2566 Map values s 6224 List elements s 8456 List of key-value pairs s 3324 Relationship between keys and values 6 9 s 198 Thread scheduling s 782 Rendering image s Processing results of a cycling race s Simple data-flow analysis s 11344

18 Results Program Predicates J2BP time SMT calls List copy s 2086 Map copy s 1114 Reverse map s 3854 Set of map keys s 312 Map of lists s List of sets s Multimap s 2566 Map values s 6224 List elements s 8456 List of key-value pairs s 3324 Relationship between keys and values 6 9 s 198 Thread scheduling s 782 Rendering image s Processing results of a cycling race s Simple data-flow analysis s 11344

19 Summary Contribution Verification technique based on predicate abstraction for Java programs with collections Key aspects: path-sensitive, inter-procedural Next steps Automated inference of necessary predicates Better performance and scalability Integration with CEGAR-based verification frameworks Long term future Using our predicate language in other program verification and bug finding techniques symbolic execution, interpolation based model checking

20 Conclusion Goal: verifying properties of Java program with collections Required information about collections state Modeling collections at the interface level J2BP:

Software Model Checking. Xiangyu Zhang

Software Model Checking. Xiangyu Zhang Software Model Checking Xiangyu Zhang Symbolic Software Model Checking CS510 S o f t w a r e E n g i n e e r i n g Symbolic analysis explicitly explores individual paths, encodes and resolves path conditions