Pavel Parizek

Exhaustive testing of safety critical Java

With traditional testing, the test case has no control over non-deterministic scheduling decisions, and thus errors dependent on scheduling are only found by pure chance. Java Path Finder (JPF) is a specialized Java virtual machine that can systematically explore execution paths for all possible schedulings, and thus catch these errors. Unfortunately, execution-based model checkers, including JPF, cannot be easily adapted to support real-time programs. We propose a scheduling algorithm for JPF which allows testing of Safety Critical Java (SCJ) applications with periodic event handlers at SCJ levels 0 and 1 (without aperiodic event handlers). The algorithm requires that deadlines are not missed and that there is an execution time model that can give best- and worst-case execution time estimates for a given program path and specific program inputs. Our implementation, named RSJ, allows to search for scheduling dependent memory access errors, certain invalid argument errors, priority ceiling emulation protocol violations, and failed assertions in application code in SCJ programs for levels 0 and 1. It uses the execution time model of the Java Optimized Processor (JOP). We test our tool with Collision Detector and PapaBench application benchmarks. We provide an SCJ version of the C PapaBench benchmark, which implements an autopilot that has flown real UAVs.

Model Checking of Software Components: Combining Java PathFinder and Behavior Protocol Model Checker

Although there exist several software model checkers that check the code against properties specified e.g. via a temporal logic and assertions, or just verifying low-level properties (like unhandled exceptions), none of them supports checking of software components against a high-level behavior specification. We present our approach to model checking of software components implemented in Java against a high-level specification of their behavior defined via behavior protocols, which employs the Java PathFinder model checker and the protocol checker. The property checked by the Java PathFinder (JPF) tool (correctness of particular method call sequences) is validated via its cooperation with the protocol checker. We show that just the publisher/listener pattern claimed to be the key flexibility support of JPF (even though proved very useful for our purpose) was not enough to achieve this kind of checking

CoCoME in Fractal

This chapter presents our solution to the CoCoME assignment that is based on the Fractal component model. The solution involves (i) modeling architecture in Fractal ADL, (ii) specification of component behavior via behavior protocols, (iii) checking compatibility of components, (iv) verification of correspondence between component code and behavior specification, and (v) run-time monitoring of non-functional properties. Among the issues we have faced was the need to modify the architecture - the component hierarchy was reorganized in order to improve clarity of the design and the hierarchical bus was split into two independent buses. These were modeled by primitive components, since Fractal does not support message bus as a first-class entity. Since the CoCoME assignment does not include a complete UML behavior specification (e.g. via activity diagrams and state charts), behavior protocols for all the components are based on the provided plain-English use cases, the UML sequence diagrams, and the reference Java implementation.

Specification and Generation of Environment for Model Checking of Software Components

Model checking of isolated software components is inherently not possible because a component does not form a complete program with an explicit starting point. To overcome this obstacle, it is typically necessary to create an environment of the component which is the intended subject to model checking. We present our approach to automated environment generation that is based on behavior protocols [Plasil, F., and S. Visnovsky, Behavior Protocols for Software Components, IEEE Transactions on Software Engineering, 28(2002)]; to our knowledge, this is the only environment generator designed for model checking of software components. We compare it with the approach taken in the Bandera Environment Generator tool [Tkachuk, O., M. B. Dwyer and C. S. Pasareanu, Automated Environment Generation for Software Model Checking, 18th IEEE International Conference on Automated Software Engineering (ASE03), p. 116, 2003], designed for model checking of sets of Java classes.

Modeling Environment for Component Model Checking from Hierarchical Architecture

Application of model checking to isolated software components is not directly possible because a component does not form a complete program - the problem of missing environment occurs. A solution is to create an environment of some form for the component subject to model checking. As the most general environment can cause model checking of the component to be infeasible, we model the environment on the basis of a particular context the component is to be used in. More specifically, our approach exploits hierarchical component architecture and component behavior specification defined via behavior protocols, all that provided in ADL. This way, the environment represents the behavior of the rest of the particular application with respect to the target component. We present an algorithm for computing the model of environments behavior that is based on syntactical expansion and substitution of behavior protocols.

Identifying future field accesses in exhaustive state space traversal

One popular approach to detect errors in multi-threaded programs is to systematically explore all possible interleavings. A common algorithmic strategy is to construct the program state space on-the-fly and perform thread scheduling choices at any instruction that could have effects visible to other threads. Existing tools do not look ahead in the code to be executed, and thus their decisions are too conservative. They create unnecessary thread scheduling choices at instructions that do not actually influence other threads, which implies exploring exponentially greater numbers of interleavings. In this paper we describe how information about field accesses that may occur in the future can be used to identify and eliminate unnecessary thread choices. This reduces the number of states that must be processed to explore all possible behaviors and therefore improves the performance of exhaustive state space traversal. We have applied this technique to Java PathFinder, using the WALA library for static analysis. Experiments on several Java programs show big performance gains. In particular, it is now possible to check with Java PathFinder more complex programs than before in reasonable time.

CoCoME in SOFA

This chapter presents our solution to the CoCoME assignment that is based on the SOFA 2.0 (SOFtware Appliances) hierarchical component model. The solution involves (i) modeling architecture in SOFA meta-model, (ii) speci fication of component behavior via extended behavior protocols, (iii) checking behavior compliance of components, (iv) verification of correspondence be tween selected component Java code and behavior specification, (v) deploy ment to SOFA run-time envi ronment (using connectors that support RMI and JMS), and (vi) modeling of performance and resource usage via layered queue ing networks. We faced sev eral issues during implementation of the CoCoME assignment in SOFA 2.0. Most notably, the architecture was modified in order to improve clarity of the design --- in particular, the hierarchical bus was re placed by two separate buses and the Inventory component was restructured. Extended behavior protocols for all the components are based on the provided plain-English use cases, the UML sequence diagrams, and the reference Java implementation (the assignment does not include a complete UML behavior specification e.g. via activity dia grams and state charts).

Modeling of Component Environment in Presence of Callbacks and Autonomous Activities

A popular approach to compositional verification of component-based applications is based on the assume-guarantee paradigm, where an assumption models behavior of an environment for each component. Real-life component applications often involve complex interaction patterns like callbacks and autonomous activities, which have to be considered by the model of environment’s behavior. In general, such patterns can be properly modeled only by a formalism that (i) supports independent atomic events for method invocation and return from a method and (ii) allows to specify explicit interleaving of events on component’s provided and required interfaces - the formalism of behavior protocols satisfies these requirements. This paper attempts to answer the question whether the model involving only events on provided interfaces (calling protocol) could be valid under certain constraints on component behavior. The key contribution are the constraints on interleaving of events related to callbacks and autonomous activities, which are expressed via syntactical patterns, and evaluation of the proposed constraints on real-life component applications.

Challenge benchmarks for verification of real-time programs

Real-time systems, and in particular safety-critical systems, are a rich source of challenges for the program verification community as software errors can have catastrophic consequences. Unfortunately, it is nearly impossible to find representative safety-critical programs in the public domain. This has been significant impediment to research in the field, as it is very difficult to validate new ideas or techniques experimentally. This paper presents open challenges for verification of real-time systems in the context of the Real-time Specification for Java. But, our main contribution is a family of programs, called CDx, which we present as an open source benchmark for the verification community.

Predicate abstraction of Java programs with collections

Our goal is to develop precise and scalable verification techniques for Java programs that use collections and properties that depend on their content. We apply the popular approach of predicate abstraction to Java programs and collections. The main challenge in this context is precise and compact modeling of collections that enables practical verification. We define a predicate language for modeling the observable state of Java collections at the interface level. Changes of the state by API methods are captured by weakest preconditions. We adapt existing techniques for construction of abstract programs. Most notably, we designed optimizations based on specific features of the predicate language. We evaluated our approach on Java programs that use collections in advanced ways. Our results show that interesting properties, such as consistency between multiple collections, can be verified using our approach. The properties are specified using logic formulas that involve predicates introduced by our language.