Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reasoning About Exceptions Using Model Checking

Similar presentations


Presentation on theme: "Reasoning About Exceptions Using Model Checking"— Presentation transcript:

1 Reasoning About Exceptions Using Model Checking
Reid Simmons David Garlan Jeannette M. Wing George Fairbanks, Gil Tolle, Balaji Sarpeshkar, Joe Jiang Computer Science Department Carnegie Mellon University Pittsburgh, PA

2 Outline Why Model Check Exceptions? Approach Example IEL MOPED
Translations “Gotchas” Example Vending Machine Exceptions and Model Checking May 1, 2003

3 Exceptions in Programming Languages
Raising Exceptions Throw of named/typed exceptions Catch by nearest matching handler Exceptions may form inheritance hierarchy “Clean up” Construct Finally / Unwind-protect Executed in both nominal and exceptional situations Semantics Termination (C++, Java, Lisp) Resumption (Mesa, Eiffel, TDL) Exceptions and Model Checking May 1, 2003

4 Why Hard? Non-Local Flow of Control
Context of “Catch” Frames Determined Dynamically “Clean Up” Construct Adds Additional Pathways Hard to Reason About All Possible Execution Paths Impossible To Do So Purely Locally Exceptions and Model Checking May 1, 2003

5 Overview of Our Approach
Source Code IEL MOPED Specifications Counter Example Exceptions and Model Checking May 1, 2003

6 Intermediate Exception Language (IEL)
Captures Commonalities of Exception Handling Among Different Languages Focuses on Control-Flow Constructs Relevant to Reasoning About Exceptions Catch/Throw/Finally Iteration and Conditionals Break and Return Assignment Procedures Hierarchical Exceptions Minimal Data Representation No value-returning functions Exceptions and Model Checking May 1, 2003

7 IEL Example: Resource Locking
var locked: int exception e1 procedure main () { locked := 0 while true { try { lock() randomException() unlock() } catch e1 { /* unlock() */ } procedure lock () { if locked = 1 then error() if locked = 0 then locked := 1 } procedure randomException () { if (p) throw e1 Aside: Can handle probabilistic CTL and knowledge at the leaves: AF>0.95((I knows K)) Exceptions and Model Checking May 1, 2003

8 MOPED Model Checker for Push-Down Automata
Stefan Schwoon’s PhD Thesis Symbolic Model Checker Handles Procedures with Local Variables Need to Explicitly Handle Frame Axioms Verifies LTL State Reachability Formulae Currently cannot handle LTL formulae involving variables Minimal Data Representation Exceptions and Model Checking May 1, 2003

9 Translating IEL  MOPED
Create Local Translation Rules for Each IEL Construct Assign ( x := y) q <procN> --> q <procN+1> (x’ = y & frameAllExcept(x)) Conditional ( if p then stmt) q <procN> --> q <procN+1> “if true” (p = 1 & frameAll) q <procN> --> q <procN’> “if false” (p = 0 & frameAll) …stmt… q<procN’> … Throw ( throw ex) q <procN> --> q <procEx> (ex’ = 1 & …) Try/Catch ( try { tryblock } catch ex { catchblock}) q <procN> --> q<procTry> “jump past catch” (frameAll) q <procEx> --> q<procCatch> “caught ex” (ex = 1 & …) q <procEx> --> q<procN> “didn’t catch ex” (ex = 0 & …) …catchBlock translation… …tryBlock translation… q <procN> … Exceptions and Model Checking May 1, 2003

10 “Gotchas” Exception Hierarchy (Nested) Finally Blocks
Break and Return Statements Exceptions and Model Checking May 1, 2003

11 Modeling Exception Hierarchy
exception e0 exception e1 extends e0 try { throw e1 } catch e0 {} Preprocess IEL Code to Determine Hierarchy “Throw” Explicitly Sets Exception and All Its Parents q <procN> --> q <procEx> (e1’ = 1 & e0’ = 1 & …) Matching “Catch” Clears All Exceptions q <procN> --> q <procN+1> (e0’ = 0 & e1’ = 0 & e2’ = 0 & …) Aside: Can handle probabilistic CTL and knowledge at the leaves: AF>0.95((I knows K)) Exceptions and Model Checking May 1, 2003

12 Modeling Finally Blocks
try { if q then throw e1 } finally { if p then throw e2 } catch e1 { x := x / 0 } x := x + 1 } Store State of Exceptions Upon Entering Finally Block Clear All Exceptions Before Executing Finally Block Restore Exception State at End of Finally Block, Unless a New Exception Was Raised Exceptions and Model Checking May 1, 2003

13 Modeling Nested Finally Blocks
NL = 0; EL = -1 try { throw e1 } finally { if p then throw e2 x := x + 1 } Store State of Exceptions Upon Entering Finally Plus Keep Track of “nesting level” and “exception level” Increment “nesting level” on Entering, and Decrement on Exit Clear All Exceptions Before Executing Finally Block Before Entering Finally Block with an Exception, Set “exception level” to “nesting level” Propagate Exception on Exit if “exception level” equals “nesting level” try { throw e1 } finally { throw e2 } catch e2 { } finally { } x := x + 1 } EL = 0 NL = 1 EL = 1/0 NL = 2 NL = 1 NL = 0 Exceptions and Model Checking May 1, 2003

14 Modeling Break and Return Statements
“Break” and “Return” Interact in Interesting Ways with Exceptions and Finally Blocks while (x < 5) { try { if x = 3 then { throw e1 } finally { break x := x * 5 } } catch e1 {} x := x+1 x := x - 2 while (x < 5) { try { if x = 3 then { break } finally { throw e1 x := x * 5 } } catch e1 {} x := x+1 x := x - 2 LHS: 14; RHS: 13 Approach: Treat “Break” and “Return” as Exceptions that do not Propagate!! Exceptions and Model Checking May 1, 2003

15 Example: Vending Machine
Model of Vending Machine Machine vends product, if it has that product in stock and sufficient $$ put in Represented by Java program that has significant exceptions From TSE article by Sinha & Harrold Verify that if Money is Put in the Machine, Eventually it will either Return Money or Vend Product Static analysis is insufficient Hand-coded IEL program from Java source; Automated IEL  MOPED translation Found bug in the program (could keep on adding money indefinitely – no limit) Exceptions and Model Checking May 1, 2003

16 Ongoing and Future Work
Translating Java  IEL Work in Progress Parser and Most of Translator Exist Main Difficulty in Dealing with Objects Complex data structures, Inheritance, Dynamic memory allocation Add Specification Language to IEL Translate Other Languages (C++, Lisp) Model Resumption Model of Exceptions Test on Software with Significant Exceptions Exceptions and Model Checking May 1, 2003


Download ppt "Reasoning About Exceptions Using Model Checking"

Similar presentations


Ads by Google