Interface Grammars for Modular Software Verification Tevfik Bultan Department of Computer Science University of California, Santa Barbara

This talk is based on: Graham Hughes and Tevfik Bultan. "Interface Grammars for Modular Software Model Checking." Proceedings of the 2007 ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2007). Graham Hughes and Tevfik Bultan. "Extended Interface Grammars for Automated Stub Generation." Proceedings of the Automated Formal Methods Workshop (AFM 2007). Graham Hughes, Tevfik Bultan and Muath Alkhalaf. "Client and Server Verification for Web Services Using Interface Grammars." To appear in the Proceedings of the Workshop on Testing, Analysis and Verification of Web Software (TAV-WEB 2008). Graham Hughes and Tevfik Bultan. "Interface Grammars for Modular Software Model Checking." To appear in IEEE Transactions on Software Engineering.

Outline Motivation Interface Grammars Interface Compiler A Case Study Interface Grammars for Web Services Another Case Study Conclusions

Model Checking Software Model checking –An automated software verification technique –Exhaustive exploration of the state space of a program to find bugs Systematically explore all possible behaviors of a program –look for violations of the properties of interest assertion violations, deadlock Software model checkers: Verisoft, Java PathFinder (JPF), SLAM, BLAST, CBMC

Two Challenges in Model Checking State space explosion –Exponential increase in the state space with increasing number of variables and threads State space includes everything: threads, variables, control stack, heap Environment generation –Finding models for parts of software that are either not available for analysis, or are outside the scope of the model checker

Modular Verification Modularity is key to scalability of any verification technique –Moreover, it can help isolating the behavior you wish to focus on, removing the parts that are beyond the scope of your verification technique Modularity is also a key concept for successful software design –The question is finding effective ways of exploiting the modularity in software during verification

Interfaces for Modularity How do we do modular verification? –Divide the software to a set of modules –Check each module in isolation How do we isolate a module during verification/testing? –Provide stubs representing other modules (environment) How do we get the stubs representing other modules? –Write interfaces Interfaces specify the behavior of a module from the viewpoint of other modules Generate stubs from the interfaces

Our Approach: Interface Grammars Here is the basic use case for our approach: 1.User writes an interface grammar specifying the interface 2.Our interface compiler automatically generates a stub from the interface grammar 3.Automatically generated stub provides the environment during modular verification

Interface Grammars Component A Component B Interface Grammar Interface Compiler Component B Stub Component A Model Checker Interface Grammar

An Example An interface grammar for transactions –Specifies the appropriate ordering for method calls to a transaction manager –Method calls are the terminal symbols of the interface grammar S tart → Base Base →begin Tail Base |ε |ε Tail →commit |rollback |rollback

An Example Consider the call sequence begin rollback begin commit Here is a derivation: Start  Base  begin Tail Base  begin rollback Base  begin rollback begin Tail Base  begin rollback begin commit Base  begin rollback begin commit S tart → Base Base →begin Tail Base |ε |ε Tail →commit |rollback |rollback

Another Example This example can also be specified as a Finite State Machine (FSM) However, the following grammar which specifies nested transactions cannot be specified as a FSM Start → Base Base →begin Base Tail Base |ε |ε Tail →commit |rollback |rollback begin commit rollback

Yet Another Example setrollbackonly which forces all the pending transactions to finish with rollback instead of commitLet’s add another method called setrollbackonly which forces all the pending transactions to finish with rollback instead of commit We achieve this by extending the interface grammars with semantic predicates and semantic actionsWe achieve this by extending the interface grammars with semantic predicates and semantic actions Start →«r:=false; l:=0» Base Base →begin «l:=l+1» Base Tail «l:=l-1; if l=0 then r:=false» Base «l:=l-1; if l=0 then r:=false» Base |setrollbackonly «r:=true» Base |setrollbackonly «r:=true» Base |ε |ε Tail →«r=false» commit |rollback |rollback

Interface Grammar Translation Our interface compiler translates interface grammars to executable code: –the generated code is the stub for the component The generated code is a parser that –parses the incoming method calls –while making sure that the incoming method calls conform to the interface grammar specification

Verification with Interface Grammars Interface Grammar Interface Compiler Program Model Checker Top-down parser parse table semantic predicates and semantic actions parser stack Component Stub method invocation (lookahead)

A Case Study We wrote an interface grammar for the EJB 3.0 Persistence API – This is an API specification for mapping Java object graphs to a relational database – Hibernate is an implementation of this API Hibernate distribution contains several example EJB clients that are designed to fail, and test exceptional behavior by violating the interface specification

A Case Study, Continued We used these simple clients to check the the fidelity of the stub generated from our interface specification – We used the JPF software model checker None of these examples can run under JPF directly Time taken to develop the interface was dominated by the need to understand EJB Persistence first – about a couple of hours

Experiments: Falsification sec. # obj.# iter Client 1Client 2Client 3 Client 4

Experiments: Verification sec. # obj.# iter Client 1Client 2Client 3 Client 4

A Case Study, Continued For these simple clients, interface violations can be detected by JPF in a couple of seconds using the EJB stub generated by our interface compiler –Falsification time does not increase with the number of operations executed or the number of objects created by the clients When we fix the errors, JPF is able to verify the absence of interface violations –Verification time increases with the number of operations executed or the number of objects created by the clients

Interface Grammars: Uni/Bidirectional Interface grammars can be –Unidirectional: No callbacks –Bidirectional: Need to handle Callbacks CallerCallee Interface Comp AComp B Interface

Interface Grammars: Client/Server Interface grammars can be used for –Client verification: Generate a stub for the server –Server verification: Generate a driver for the server Interface Compiler Interface Client Stub Server Driver

Interface Grammars and Data A crucial part of the interface specification is specifying the allowable values for the method arguments and generating allowable return values Approach 1: These can be specified in the semantic actions and semantic predicates of the interface grammars Approach 2: Can we specify the constraints about the arguments and return values using the grammar rules? –Yes, grammar productions can be used to specify the structure of most recursive data structures.

Modular Verification of Web Services We applied our modular verification approach based on interface grammars to client and server side verification of Web services

Interface Grammars and Web Services Our approach: 1.A WSDL-to-interface grammar translator automatically generates grammar productions that generate and/or validate XML arguments and return values 2.User adds control flow constraints by modifying the grammar 3.Interface compiler automatically generates a stub for client side verification and a driver for server-side verification

Interface Grammars for Web Services

Another Case Study: AWS-ECS We tested the Amazon E-Commerce Web Service (AWS- ECS) using our approach AWS-ECS WSDL specification lists 40 operations –that provide differing ways of searching Amazon’s product database We focus on the core operations: –ItemSearch, CartCreate, CartAdd, CartModify, CartGet, CartClear

Client-side Verification For client verification we used a demonstration client provided by Amazon This client does not check any constraints such as –You should not try to insert an item to a shopping cart before creating a shopping cart When such requests are sent to AWS-ECS they would return an error message Using our approach we can easily check if the client allows such erroneous requests Falsification time changes with the type of faults we are looking for (data or control errors), changes from 10 to 60 seconds

AWS-ECS: Server Verification Our interface compiler automatically generates a driver that sends sequences of requests to AWS-ECS server and checks that the return values conform to the interface specification The driver is a sentence generator –It generates sequences of SOAP requests based on the interface specification We used two algorithms for sentence generation: –A random sentence generation algorithm –Purdom’s algorithm: A directed sentence generation algorithm that guarantees production coverage

Directed Sentence Generation Number of sentences generated: 5 Average derivation length: 24 Average number of SOAP requests/responses: 3.8 Verification time: 20 seconds

Random Sentence Algorithm Number of sentences generated: 100 Average derivation length: 17.5 Average number of SOAP requests/responses: 3.2

Server-side verification We found two errors during server side verification –Errors were discovered within 10 seconds These errors indicate a mismatch between the interface specification and the server implementation It may mean that we misunderstood the description of the Web service interface It may also mean that there is an error in the service implementation

Conclusions Modular verification is a necessity Interfaces are crucial for modular verification Interface grammars provide a new specification mechanism for interfaces Interface grammars can be used for automated stub generation leading to modular verification

THE END

Related Work: Interfaces L. de Alfaro and T. A. Henzinger. Interface automata. O. Tkachuk, M. B. Dwyer, and C. Pasareanu. Automated environment generation for software model checking. A. Betin-Can and T. Bultan. Verifiable concurrent programming using concurrency controllers. T. Ball and S. K. Rajamani. SLAM interface specification language. G. T. Leavens et al.: JML

Related: Grammar-based Testing A. G. Duncan, J. S. Hurchinson: Using attributed grammars to test designs and implementations P. M. Maurer: Generating test data with enhanced context free grammars P. M. Maurer: The design and implementation of a grammar-based data generator E. G. Sirer and B. N. Bershad: Using production grammars in software testing