Tracechecks Defining semantic interfaces with temporal logic Eric Bodden 1 Volker Stolz 2 1 Sable Research Group McGill University, Montréal, Canada 2 MOVES: Software Modeling and Verification RWTH Aachen University, Aachen, Germany Vienna, March 25th, 2006
Outline What do we do? Dynamic verification of interface protocols in Java Problems with static approaches: (see talks on components today) recursion data structures Source code often contains informal requirements specifications. Our contribution: make a formal specification explicit in interfaces automatically instrument base application and check it at runtime
Temporal specifications Temporal specifications in Java today Excerpt from docs of java.util.iterator Method: void remove() Removes from the underlying collection the last element returned by the iterator (optional operation). This method can be called only once per call to next. The behavior of an iterator is unspecified if the underlying collection is modified while the iteration is in progress in any way other than by calling this method. Throws: UnsupportedOperationException - if the remove operation is not supported by this Iterator. IllegalStateException - if the next method has not yet been called, or the remove method has already been called after the last call to the next method.
What we actually want to say Temporal specifications next update 0 1 2 3 create update next
Temporal specifications Temporal specifications in Java today Problems with previous approaches The JDK implements checks for this by a combination of various counters in the iterator and collection classes. Implementation tedious and errorprone Requirement...... only in comments, which can easily be missed.... part of interface, i.e. Iterator Yet, it must be implemented within all implementors. And... not all do!... of crosscutting nature.
Can we do any better? Temporal specifications Prototype tool Java Logical Observer (J-LO): provides a means for specifying temporal assertions, called tracechecks can be attached to interfaces and classes uses Java 5 annotations formalism: extension of Linear Temporal Logic instrumentation through AspectJ
Tracechecks Temporal specifications 1 tracecheck ( C o l l e c t i o n col, I t e r a t o r i t e r ) { 2 3 sym create ( C o l l e c t i o n c, I t e r a t o r i ) a f t e r returning ( i ) : 4 c a l l ( C o l l e c t i o n +. i t e r a t o r ( ) ) && target ( c ) ; 5 sym next ( I t e r a t o r i ) before : 6 c a l l ( Object I t e r a t o r. next ( ) ) && target ( i ) ; 7 sym update ( C o l l e c t i o n c ) a f t e r : 8 update ( ) && target ( c ) ; 9 10 G( create ( col, i t e r ) X G( modify ( c o l ) G(! next ( i t e r ) ) ) ) 11 { 12 //could use "col" and "iter" 13 throw new ConcurrentModificationException ( ) ; 14 } 15 }
Tracechecks Benefits Temporal specifications Provides convenient instance-based reasoning via free variables. Allows for flexible deployment scenarios. As AspectJ language extension (seen before). In the form of Java 5 annotations... Specification right in place - even at interfaces.
Tracechecks Annotation style syntax Temporal specifications 1 public interface It erat or { 2... 3 4 @LTL( " 5 Collection c, thistype i : 6 G( ( 7 e x it ( c a l l ( C o l l e c t i o n +. i t e r a t o r ( ) ) 8 && target ( c ) ) returning i 9 ) ( 10 X(G( 11 ( entry ( 12 ( c a l l ( C o l l e c t i o n +. add (.. ) ) 13 c a l l ( C o l l e c t i o n +. remove (.. ) ) 14 c a l l ( C o l l e c t i o n +. clear ( ) ) 15 ) && target ( c ) 16 ) 17 ) ( 18 G( 19! ( 20 entry ( c a l l ( thismethod ) && target ( i ) ) 21 ) ) ) ) ) ) ) 22 " ) 23 public Object next ( ) ; 24 25 }
Semantic interfaces with J-LO How does it work? Code generation 1 Generate an AspectJ aspect implementing the required checks. 2 Weave this aspect into the base application. 3 The instrumented application checks itself during runtime. Evaluation based on Alternating Automata.
Runtime Verification Dynamic model Code generation s 0 /0 s 1 {p 1,p 2 } s 2 {p 1 } s 3 {p 1 } s 4{p2 } /0 {p 1,p 2 } {p 1 } {p 1 } Path identified by a sequence of sets of propositions 2 P Recognition of cycles impossible Path π = π[0]... π[n 1] finite
Code generation Specification encoded in Alternating automata G(p(x) F q(x)) p(x) p(1) F q(1) p(x) q(1) q(1) tt Σ
Code generation Specification encoded in Alternating automata G(p(x) F q(x)) p(x) p(1) p(2) p(x) F q(1) F q(2) q(1) q(1) q(2) q(2) tt tt Σ Σ
Implementation Example Code generation {{G(p(x) F q(x))}} {p(1),p(2)} {{G(p(x) F q(x)),f q(1),f q(2)}} {q(1)} {{G(p(x) F q(x)),f q(2)}} {q(2)} {{G(p(x) F q(x))}} G(p F q) p p F q q q tt Σ
Code generation Code generation Compiler Codegen Weaving Specification G( p )... Java bytecode G( p )... AFA in AspectJ aspect F1 {... Java bytecode if(!p) {... J-LO Tools we used: BAT2XML (TU Darmstadt) Extracts spec from Java annotations AspectBench Compiler ( abc, Oxford/McGill University) Code generations (AST rewrites) Instrumentation ( weaving )
Benchmarks Code generation Verification of temporal assertions for data structures: HashSets G( add ( set, c o l ) X G( modify ( c ) X( remove ( set, c o l ) R! contains ( set, c o l ) ) ) ) Stacks G( push ( s ) R! pop ( s ) ) Iterators / Enumerations tested with JHotDraw Lock order reversal problem tested with JigSaw (did actually find warnings!)
Related work Related work Future work Mainly on the fields of Aspect-oriented programming Program Query Languages Component Based Design Runtime Verification
Related work AOP/PQL/CBD Related work Future work Event based AOP (Douence et al.) [DFS04] Tracecuts (Walker et al.) [WV04] Tracematches (Allan et al.) [AAS + 04] Gamma (Ostermann et al.) [KO05] PQL (Martin et al.) [MLL05] PTQL (Goldsmith et al.) [GOA05] Südholt and Farias (Components with explicit behavioral protocols) [FS02]
Related work Runtime Verification Related work Future work Havelund et al. (NASA AMES) EAGLE [HBS03], Java PathExplorer [HR04] HAWK [dh05]: based on AspectJ/EAGLE, only subset of LTL Java MAC [KVK + 04] Temporal Rover manual instrumentation only
Future Work Related work Future work Future work: Tight integration with abc (in particular: Tracematches) Lowering the evaluation cost at runtime (JVM support?) Static dataflow analysis approximating results of Model Checking Performance optimizations
Related work Future work Tracechecks: Specification language for runtime-checking temporal assertions based on: AspectJ pointcuts, for generating a path model at runtime Linear temporal logic (LTL) to express temporal conditions over such paths Implementation using alternating automata and dynamic bindings in the Java Logical Observer - J-LO
Related work Future work Thank you for your attention Try it out: http://www-i2.informatik.rwth-aachen.de/jlo/
Appendix Program execution Thread t1 Lock l1 Aspect lock() lock(a=t1,x=l1) lock(a=t1,y=l1) props.add("lock(a,x)",[a=t1,x=l1]) Variables: Thread a, Lock x, Lock y props.add("lock(a,y)",[a=t1,y=l1]) lock configuration.transition(props) props= emptyset Propositions: lock(a,x), lock(a,y) lock
Appendix Bibliography I C. Allan, P. Avgustinov, A.S. Simon, L. Hendren, S. Kuzins, O. Lhoták, O. de Moor, D. Sereni, G. Sittamplan, and J. Tibble. Adding trace matching to AspectJ (submitted to OOPSLA 05). abc Technical Report abc-2005-01, McGill University, 2004. Rémi Douence, Pascal Fradet, and Mario Südholt. Composition, reuse and interaction analysis of stateful aspects. In AOSD 04: Proceedings of the 3rd international conference on Aspect-oriented software development, pages 141 150. ACM Press, 2004. Marcelo d Amorim and Klaus Havelund. Event-based runtime verification of java programs. In WODA 05: Proceedings of the third international workshop on Dynamic analysis, pages 1 7, New York, NY, USA, 2005. ACM Press. Andrés Farías and Mario Südholt. On components with explicit protocols satisfying a notion of correctness by construction. In In International Symposium on Distributed Objects and Applications (DOA). LNCS, 2002. Simon Goldsmith, Robert O Callahan, and Alex Aiken. Relational queries over program traces. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages and Applications, pages 385 402, 2005. K. Havelund H. Barringer, A. Goldberg and K. Sen. EAGLE does space efficient LTL monitoring. Pre-Print CSPP-25, Department of Computer Science, University of Manchester, October 2003.
Appendix Bibliography II K. Havelund and G. Roşu. An Overview of the Runtime Verification Tool Java PathExplorer. Formal Methods in System Design, 24(2):189 215, 2004. K. Klose and K. Ostermann. Back to the future: Pointcuts as predicates over traces. In Foundations of Aspect-Oriented Languages workshop (FOAL 05), Chicago, USA, 2005. M. Kim, M. Viswanathan, S. Kannan, I. Lee, and O.V. Sokolsky. Java-MaC: A Run-time Assurance Approach for Java Programs. Formal Methods in System Design, 24(2):129 155, 2004. Michael Martin, Benjamin Livshits, and Monica S. Lam. Finding application errors using PQL: a program query language. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages and Applications, pages 365 383, 2005. Robert J. Walker and Kevin Viggers. Implementing protocols via declarative event patterns. In SIGSOFT FSE, pages 159 169, 2004.