Analyzing Interaction Orderings with Model Checking Support US National Science Foundation (NSF CISE/SEL) US Department of Defense Advanced Research Projects.

Slides:

Advertisements

Similar presentations

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Advertisements

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Guide to Oracle10G1 Introduction To Forms Builder Chapter 5.

Introduction To System Analysis and Design

1 Chapter 7 Graphics and Event Handling. 2 Overview The java.awt and javax.swing packages and their subpackages support graphics and event handling. Many.

Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.

1 BOGOR – A Flexible Framework For Creating Model Checkers Presented by : Roli Shrivastava 20 March 2007.

Java Programming, 3e Concepts and Techniques Chapter 5 Arrays, Loops, and Layout Managers Using External Classes.

Copyright W. Howden1 Lecture 8: O/O Programming. Copyright W. Howden2 Topics OO Programming Languages Developing programs from Designs –Class and method.

A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,

Basic Concepts The Unified Modeling Language (UML) SYSC System Analysis and Design.

Chapter 5 - Making Music: An On-Screen Piano

A.k.a. GUI’s.  If you want to discuss your Lab 2 grade come see me this week. ◦ Office: 436 ERB. One hour prior to class ◦ Open to Appointments MWF 

ACM/JETT Workshop - August 4-5, ExceptionHandling and User Interfaces (Event Delegation, Inner classes) using Swing.

Chapter 1 Introduction Dr. Frank Lee. 1.1 Why Study Compiler? To write more efficient code in a high-level language To provide solid foundation in parsing.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Entity Framework Overview. Entity Framework A set of technologies in ADO.NET that support the development of data-oriented software applications A component.

An Introduction to Java Chapter 11 Object-Oriented Application Development: Part I.

CSE115: Introduction to Computer Science I Dr. Carl Alphonce 343 Davis Hall

The Java Programming Language

1 Event Driven Programs Rick Mercer. 2 So what happens next?  You can layout a real pretty GUI  You can click on buttons, enter text into a text field,

Java Programming: Advanced Topics 1 Common Elements of Graphical User Interfaces Chapter 6.

Software Engineering Research paper presentation Ali Ahmad Formal Approaches to Software Testing Hierarchal GUI Test Case Generation Using Automated Planning.

Model-Driven Analysis Frameworks for Embedded Systems George Edwards USC Center for Systems and Software Engineering

A Little Language for Surveys: Constructing an Internal DSL in Ruby H. Conrad Cunningham Computer and Information Science University of Mississippi.

Dale Roberts GUI Programming using Java - Introduction Dale Roberts, Lecturer Computer Science, IUPUI Department of Computer.

1 5 Nov 2002 Risto Pohjonen, Juha-Pekka Tolvanen MetaCase Consulting AUTOMATED PRODUCTION OF FAMILY MEMBERS: LESSONS LEARNED.

Chapter 5: More on the Selection Structure Programming with Microsoft Visual Basic 2005, Third Edition.

Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem.

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

An extensible and highly-modular model checking framework SAnToS Laboratory, Kansas State University, USA Matt Dwyer.

CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

Celluloid An interactive media sequencing language.

Adapting Side-Effects Analysis for Modular Program Model Checking M.S. Defense Oksana Tkachuk Major Professor: Matthew Dwyer Support US National Science.

Java Beans. Definitions A reusable software component that can be manipulated visually in a ‘builder tool’. (from JavaBean Specification) The JavaBeans.

Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)

1 Bogor – Software Model Checking Framework Presented by: Arpita Gandhi.

Getting Started with the Open Services Gateway Initiative (OSGi) CNT 5517 Dr. Sumi Helal, Ph.D. Professor Computer & Information Science & Engineering.

August 2003 At A Glance The IRC is a platform independent, extensible, and adaptive framework that provides robust, interactive, and distributed control.

1 CSE 331 Model/View Separation and Observer Pattern slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia.

USING MODEL CHECKING TO DISCOVER AUTOMATION SURPRISES Java class User: - getExpectation() - checkExpectation() FAULTY EXECUTION start incrMCPAlt pullAltKnob.

CSCI 3428: Software Engineering Tami Meredith UML Unified Modeling Language.

( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.

Domain-specific Model Checking with Bogor SAnToS Laboratory, Kansas State University, USA US Army Research Office (ARO)

A Framework for Automated and Composable Testing of Component-based Services Miguel A. Jiménez, Ángela Villota, Norha M. Villegas, Gabriel Tamura, Laurence.

The PLA Model: On the Combination of Product-Line Analyses 강태준.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

Information and Computer Sciences University of Hawaii, Manoa

Lecture 27 Creating Custom GUIs

Model Checking Software Using The Bogor Framework

Space-Reduction Strategies for Model Checking Dynamic Software

CS 153: Concepts of Compiler Design November 30 Class Meeting

The "8 Queens" problem Consider the problem of trying to place 8 queens on a chess board such that no queen can attack another queen. What are the "choices"?

Model Checking Software Using The Bogor Framework

Model-Driven Analysis Frameworks for Embedded Systems

Focus of the Course Object-Oriented Software Development

Constructors, GUI’s(Using Swing) and ActionListner

A Refinement Calculus for Promela

The "8 Queens" problem Consider the problem of trying to place 8 queens on a chess board such that no queen can attack another queen. What are the "choices"?

The Bogor Model Checking Framework

Presentation transcript:

Analyzing Interaction Orderings with Model Checking Support US National Science Foundation (NSF CISE/SEL) US Department of Defense Advanced Research Projects Agency (DARPA/IXO PCES) US Army Research Office (ARO CIP/SW) Matthew B. Dwyer (University of Nebraska) Robby, Oksana Tkachuk (Kansas State University) Willem Visser (NASA Ames Research Center)

Model Checking GUIs Problems State space explosion due to large data domains Swing framework complexity General Solutions Modular Verification Abstraction Reduction

Our Solutions Modular verification Treat GUI implementation as module Domain-specific abstractions Swing framework Underlying application Domain-specific model checking Customized reductions

Our Solutions Are implemented in Bandera Environment Generator (BEG) Extensible model generation/extraction tool Bogor Extensible model checker

Unit Code Base Finds points of interaction (unit interface) Identifies environment classes that directly interact with the unit Method calls Field access Cuts away classes that don’t directly interact with the unit Generates models for the remaining classes Bandera Environment Generator

Environment Models in BEG Universal environments Safe but impractical Synthesized from environment assumptions User-supplied Automatically extracted from environment implementation using static analysis techniques

Modular Verification using BEG Unit Code Base Drivers Environment classes are broken into Active classes hold a thread of control (drivers) Passive classes (stubs) Stubs Closed Unit Java + modeling primitives + Unit Properties  Java Model Checker

Bogor – Domain Specific Model-Checking Extensible modeling language and plug-in architecture allows Bogor to be customized to a variety of application domains Modeling language and Algorithms easily customized to different domains Domain YDomain Z Domain X

Model Checker Variety of System Descriptions Design Notations Byte code State Machines Source code Different levels of abstraction!

Abstract machine tailored to domain and level of abstraction Domain-Specific Model Checking Model-checking Engine BEG models Domain & Abstraction Extensions GUI

Bogor Extensions Modeling Language Extensions Type extensions Expression extensions Action extensions Module Extensions interpretative component extensions model checking component extensions

Our Approach: Modeling BEG + manual refinement BEG abstraction Swing Lib Model GUI Application Model User Model Display Swing Lib GUI Application User Property Java to BIR Translator

Interaction Ordering Properties Automata-based sequencing properties For example, regular expressions.; display[error]; ^button[ok];.* English: when an error message is displayed, the only available user action is acknowledgement via ok button

Next… Extension of BEG to Discover/Analyze Swing classes Model Swing classes Extension of Bogor to Handle BEG modeling primitives Implement domain-specific state storage strategies

Identifying GUI components BEG scans GUI implementation for Swing references BEG analyzes the actual code of Swing classes and generates models for them based on analysis results GUI Impl Swing Components

BEG Analysis for Swing Classes Customized Side-Effects analysis is used to identify: Containment relationships Publish-Subscribe relationships Visibility Enabledness Modality Analysis results/models can be used across multiple examples

public class Container extends Component{ Component[] component = new Component[0]; public Component add(Component comp) { addImpl(comp, null, -1); return comp; } protected void addImpl(Component comp, Object constraints, int index){ if (ncomponents == component.length) { Component newcomponents[]=new Component[..]; component = newcomponents;... } if (index == -1 || index == ncomponents) { component[ncomponents++] = comp; } else { component[index] = comp; ncomponents++; }... } } Example: actual code

public class Container extends Component{ Component[] component = new Component[0]; public Component add(Component comp) { addImpl(comp, null, -1); return comp; } protected void addImpl(Component comp, Object constraints, int index){ if (ncomponents == component.length) { Component newcomponents[]=new Component[..]; component = newcomponents;... } if (index == -1 || index == ncomponents) { component[ncomponents++] = comp; } else { component[index] = comp; ncomponents++; }... } } Method Analysis // must side-effects this.component[TOP_INT] = param0; this.ncomponents = TOP_INT // may side-effects Component[] component0 = new Component[TOP_INT];... this.component = component0; //return locations { param0 }

public class Container extends Component{ Component[] component = new Component[0]; public Component add(Component comp) { addImpl(comp, null, -1); return comp; } protected void addImpl(Component comp, Object constraints, int index){ if (ncomponents == component.length) { Component newcomponents[]=new Component[..]; component = newcomponents;... } if (index == -1 || index == ncomponents) { component[ncomponents++] = comp; } else { component[index] = comp; ncomponents++; }... } } From Analysis to Model // must side-effects this.component[TOP_INT] = param0; this.ncomponents = TOP_INT //return locations { param0 } public class Container extends Component { Component[] component; int ncomponents; public Component add(Component param0){ component[ncomponents] = param0; ncomponents++; return param0; } }

Modeling User The user may click on any visible enabled components GUI Impl User On the most recently opened modal window or on any non-modal window, if no modal windows are open

Modal vs. Non-modal Dialogs Set nonModalWindows Stack modalWindows

Modal vs. Non-modal Dialogs Set nonModalWindows Stack modalWindows

Modal vs. Non-modal Dialogs Set nonModalWindows Stack modalWindows

Modal vs. Non-modal Dialogs Set nonModalWindows Stack modalWindows

Modal vs. Non-modal Dialogs Set nonModalWindows Stack modalWindows

Choosing Top-Level Window Set nonModalWindows Stack modalWindows public Window chooseTopWindow() { Window window = null; if(!modalWindows.empty()) window = modalWindows.pop(); else window=chooseReachable("Window“, nonModalWindows); return window; }

Choosing Top-Level Window Set nonModalWindows Stack modalWindows public Window chooseTopWindow() { Window window = null; if(!modalWindows.empty()) window = modalWindows.pop(); else window=chooseReachable("Window“, nonModalWindows); return window; }

Choosing Top-Level Window Set nonModalWindows Stack modalWindows public Window chooseTopWindow() { Window window = null; if(!modalWindows.empty()) window = modalWindows.pop(); else window=chooseReachable("Window“, nonModalWindows); return window; }

Choosing Top-Level Window Set nonModalWindows Stack modalWindows public Window chooseTopWindow() { Window window = null; if(!modalWindows.empty()) window = modalWindows.pop(); else window=chooseReachable("Window“, nonModalWindows); return window; }

User Model while (true) { window = chooseTopWindow(); container = chooseReachable( "JComponent", window, isVisible, isEnabled); notifyListeners(container) }

User Model while (true) { window = chooseTopWindow(); container = chooseReachable( "JComponent", window, isVisible, isEnabled); notifyListeners(container) }

Notification An event object is created and passed to the event-handling code of listeners registered on the clicked component This event object is abstract If the event is queried, the query will result in a nondeterministic choice This leads to exploring all possible events

Modeling Primitives (Recap) express environment nondeterminism choose() chooseInt(int n, int m) chooseClass(boolean subType, String type, boolean isVisible, boolean isEnabled) chooseReachable(boolean subType, String type, Object from, boolean isInvisibleComponent, boolean isVisible, boolean isEnabled)

extension Choose for bogor.ext.ChooseModule { expdef boolean chooseBoolean(); expdef int chooseInt(int, int); expdef 'rec$a chooseObject (boolean, 'rec$a -> boolean...); expdef 'rec$a chooseReachableObject (boolean, Object, Object -> boolean, 'rec$a -> boolean...); } fun isVisible(Component c) returns boolean = c.visible; fun isEnabled(Component c) returns boolean = c.enabled; fun isInvisibleComponent(Object o) returns boolean = o instanceof Component && !isVisible((Component) o); Bogor Extensions (Syntax)

package bogor.ext.ChooseModule... public class ChooseModule implements IModule {... public IValue chooseBoolean(IExtArguments args) { IValue[] values = new IValue[] { vf.newIntValue(0), vf.newIntValue(1) }; int index = ss.advise(..., values, args.getSchedulingStrategyInfo()); return values[index]; } } Bogor Extensions (Semantics)

Store-States-On-Choose (SSC ) Strategy BEG models execute event-handling code in a single thread BEG models are sufficient to check ordering properties State-space branching occurs only in states where choose primitives are evaluated, only such states are stored Such strategy preserves interaction properties

Evaluating SSC Strategy ExampleMeasureALLSSC Voting Dialogs Objects: 50 Choices: 3 Locations: 7563 Trans States Space (Mb) Time (s) Voting Dialogs Objects: 120 Choices: 4 Locations: 8269 Trans States Space (Mb) Time (s) Dialog Demo Objects: 257 Choices: 14 Locations: 8689 Trans States Space (Mb) Time (s) Calculator: Objects: 362 Choices: 24 Locations: 8789 Trans States Space (Mb) Time (s)

Evaluating SSC Strategy ExampleMeasureALLSSC Voting Dialogs Objects: 50 Choices: 3 Locations: 7563 Trans States Space (Mb) Time (s) Voting Dialogs Objects: 120 Choices: 4 Locations: 8269 Trans States Space (Mb) Time (s) Dialog Demo Objects: 257 Choices: 14 Locations: 8689 Trans States Space (Mb) Time (s) Calculator: Objects: 362 Choices: 24 Locations: 8789 Trans States Space (Mb) Time (s)

Limitations Real GUIs are not single-threaded To address deadlock/locking properties, sophisticated analyses needed to extract models that preserve threading/locking behavior This work treats ordering properties only

Related Work GUI Ripping: reverse engineering of GUIs [Memon et al.] SMV MC GUI models [Dwyer et al.] MC HCI models [Campos, Harrison, Rushby] (Murphi, SMV, SPIN) Modeling Event-Handling [Chen] Modeling and MC of GUIs [Berstel et al.]

Summary Overview of BEG Overview of Bogor Presentation of Modeling and Model checking strategies for checking ordering properties of GUIs For more information on tools