1 / 36

Interface Grammars for Modular Software Verification

Interface Grammars for Modular Software Verification. Tevfik Bultan Department of Computer Science University of California, Santa Barbara. This talk is based on:.

kendall
Download Presentation

Interface Grammars for Modular Software Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interface Grammars for Modular Software Verification Tevfik Bultan Department of Computer Science University of California, Santa Barbara

  2. This talk is based on: • Graham Hughes and Tevfik Bultan. "Interface Grammars for Modular Software Model Checking." Proceedings of the 2007 ACM/SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2007). • Graham Hughes and Tevfik Bultan. "Extended Interface Grammars for Automated Stub Generation." Proceedings of the Automated Formal Methods Workshop (AFM 2007). • Graham Hughes, Tevfik Bultan and Muath Alkhalaf. "Client and Server Verification for Web Services Using Interface Grammars." To appear in the Proceedings of the Workshop on Testing, Analysis and Verification of Web Software (TAV-WEB 2008). • Graham Hughes and Tevfik Bultan. "Interface Grammars for Modular Software Model Checking." To appear in IEEE Transactions on Software Engineering.

  3. Outline • Motivation • Interface Grammars • Interface Compiler • A Case Study • Interface Grammars for Web Services • Another Case Study • Conclusions

  4. Model Checking Software • Model checking • An automated software verification technique • Exhaustive exploration of the state space of a program to find bugs • Systematically explore all possible behaviors of a program • look for violations of the properties of interest • assertion violations, deadlock • Software model checkers: Verisoft, Java PathFinder (JPF), SLAM, BLAST, CBMC

  5. Two Challenges in Model Checking • State space explosion • Exponential increase in the state space with increasing number of variables and threads • State space includes everything: threads, variables, control stack, heap • Environment generation • Finding models for parts of software that are • either not available for analysis, or • are outside the scope of the model checker

  6. Modular Verification • Modularity is key to scalability of any verification technique • Moreover, it can help isolatingthe behavior you wish to focus on, removing the parts that are beyond the scope of your verification technique • Modularity is also a key concept for successful software design • The question is finding effective ways of exploiting the modularity in software during verification

  7. Interfaces for Modularity • How do we do modular verification? • Divide the software to a set of modules • Check each module in isolation • How do we isolate a module during verification/testing? • Provide stubs representing other modules (environment) • How do we get the stubs representing other modules? • Write interfaces • Interfaces specify the behavior of a module from the viewpoint of other modules • Generate stubs from the interfaces

  8. Our Approach: Interface Grammars Here is the basic use case for our approach: • User writes an interface grammar specifying the interface • Our interface compiler automatically generates a stub from the interface grammar • Automatically generated stub provides the environment during modular verification

  9. Interface Grammars Interface Compiler Interface Grammar Component B Interface Grammar Component B Stub Component A Model Checker Component A

  10. An Example • An interface grammar for transactions • Specifies the appropriate ordering for method calls to a transaction manager • Method calls are the terminal symbols of the interface grammar Start→Base Base→beginTailBase | ε Tail→commit | rollback

  11. An Example • Consider the call sequence begin rollback begin commit • Here is a derivation: Start • Base • beginTail Base • begin rollbackBase • begin rollback beginTail Base • begin rollback begin commitBase • begin rollback begin commit Start→Base Base→beginTailBase | ε Tail→commit | rollback

  12. Another Example • This example can also be specified as a Finite State Machine (FSM) • However, the following grammar which specifies nested transactions cannot be specified as a FSM begin commit rollback Start→Base Base→beginBaseTailBase | ε Tail→commit | rollback

  13. Yet Another Example • Let’s add another method called setrollbackonlywhich forces all the pending transactions to finish with rollback instead of commit • We achieve this by extending the interface grammars with semantic predicates and semantic actions Start→«r:=false; l:=0»Base Base→begin«l:=l+1»BaseTail «l:=l-1; if l=0 then r:=false»Base | setrollbackonly«r:=true»Base | ε Tail→«r=false»commit | rollback

  14. Interface Grammar Translation • Our interface compiler translates interface grammars to executable code: • the generated code is the stub for the component • The generated code is a parser that • parses the incoming method calls • while making sure that the incoming method calls conform to the interface grammar specification

  15. Verification with Interface Grammars Interface Compiler Interface Grammar Top-down parser Program parser stack method invocation (lookahead) Component Stub parse table semantic predicates and semantic actions Model Checker

  16. A Case Study • We wrote an interface grammar for the EJB 3.0 Persistence API • This is an API specification for mapping Java object graphs to a relational database • Hibernate is an implementation of this API • Hibernate distribution contains several example EJB clients that are designed to fail, and test exceptional behavior by violating the interface specification

  17. A Case Study, Continued • We used these simple clients to check the the fidelity of the stub generated from our interface specification • We used the JPF software model checker • None of these examples can run under JPF directly • Time taken to develop the interface was dominated by the need to understand EJB Persistence first • about a couple of hours

  18. Experiments: Falsification Client 1 Client 2 Client 3 Client 4

  19. Experiments: Verification Client 1 Client 2 Client 3 Client 4

  20. A Case Study, Continued • For these simple clients, interface violations can be detected by JPF in a couple of seconds using the EJB stub generated by our interface compiler • Falsification time does not increase with the number of operations executed or the number of objects created by the clients • When we fix the errors, JPF is able to verify the absence of interface violations • Verification time increases with the number of operations executed or the number of objects created by the clients

  21. Interface Grammars: Uni/Bidirectional • Interface grammars can be • Unidirectional: No callbacks • Bidirectional: Need to handle Callbacks Callee Caller Interface Comp B Comp A Interface

  22. Interface Grammars: Client/Server • Interface grammars can be used for • Client verification: Generate a stub for the server • Server verification: Generate a driver for the server Client Stub Interface Compiler Interface Server Driver

  23. Interface Grammars and Data • A crucial part of the interface specification is specifying the allowable values for the method arguments and generating allowable return values • Approach 1: These can be specified in the semantic actions and semantic predicates of the interface grammars • Approach 2: Can we specify the constraints about the arguments and return values using the grammar rules? • Yes, grammar productions can be used to specify the structure of most recursive data structures.

  24. Modular Verification of Web Services • We applied our modular verification approach based on interface grammars to client and server side verification of Web services

  25. Interface Grammars and Web Services Our approach: • A WSDL-to-interface grammar translator automatically generates grammar productions that generate and/or validate XML arguments and return values • User adds control flow constraints by modifying the grammar • Interface compiler automatically generates a stub for client side verification and a driver for server-side verification

  26. Interface Grammars for Web Services

  27. Another Case Study: AWS-ECS • We tested the Amazon E-Commerce Web Service (AWS-ECS) using our approach • AWS-ECS WSDL specification lists 40 operations • that provide differing ways of searching Amazon’s product database • We focus on the core operations: • ItemSearch, CartCreate, CartAdd, CartModify, CartGet, CartClear

  28. Client-side Verification • For client verification we used a demonstration client provided by Amazon • This client does not check any constraints such as • You should not try to insert an item to a shopping cart before creating a shopping cart • When such requests are sent to AWS-ECS they would return an error message • Using our approach we can easily check if the client allows such erroneous requests • Falsification time changes with the type of faults we are looking for (data or control errors), changes from 10 to 60 seconds

  29. AWS-ECS: Server Verification • Our interface compiler automatically generates a driver that sends sequences of requests to AWS-ECS server and checks that the return values conform to the interface specification • The driver is a sentence generator • It generates sequences of SOAP requests based on the interface specification • We used two algorithms for sentence generation: • A random sentence generation algorithm • Purdom’s algorithm: A directed sentence generation algorithm that guarantees production coverage

  30. Directed Sentence Generation • Number of sentences generated: 5 • Average derivation length: 24 • Average number of SOAP requests/responses: 3.8 • Verification time: 20 seconds

  31. Random Sentence Algorithm • Number of sentences generated: 100 • Average derivation length: 17.5 • Average number of SOAP requests/responses: 3.2

  32. Server-side verification • We found two errors during server side verification • Errors were discovered within 10 seconds • These errors indicate a mismatch between the interface specification and the server implementation • It may mean that we misunderstood the description of the Web service interface • It may also mean that there is an error in the service implementation

  33. Conclusions • Modular verification is a necessity • Interfaces are crucial for modular verification • Interface grammars provide a new specification mechanism for interfaces • Interface grammars can be used for automated stub generation leading to modular verification

  34. THE END

  35. Related Work: Interfaces • L. de Alfaro and T. A. Henzinger. Interface automata. • O. Tkachuk, M. B. Dwyer, and C. Pasareanu. Automated environment generation for software model checking. • A. Betin-Can and T. Bultan. Verifiable concurrent programming using concurrency controllers. • T. Ball and S. K. Rajamani. SLAM interface specification language. • G. T. Leavens et al.: JML

  36. Related: Grammar-based Testing • A. G. Duncan, J. S. Hurchinson: Using attributed grammars to test designs and implementations • P. M. Maurer: Generating test data with enhanced context free grammars • P. M. Maurer: The design and implementation of a grammar-based data generator • E. G. Sirer and B. N. Bershad: Using production grammars in software testing

More Related