Java Pathfinder

1
Java Pathfinder

• Rafael Duarte
• rmd_at_cin.ufpe.br

2
Agenda

• Motivation
• Model-Checking
• Java Pathfinder
• Why Java Pathfinder?
• Conclusion

3
Motivation

• Assuring the correctness of concurrent Java
  programs is a difficult task
• Java primitives for concurrency are very error
  prone
• synchronized, wait(), notify() can easily
  introduce deadlocks
• Model Checking can be a powerful tool to help
  addressing these issues

4
Model Checking

• Algorithms, rather than proof calculi, for
  system verification which operate on a system
  model (semantics), rather than a system
  description (syntax). (Tom Henzinger)

5
Model Checking
From CSP, Promela, Java
Graph traversing algorithm
Answer Yes if model satisfies specification Count
er-example if model does not satisfy
specification
Model CheckingTool
System Model
Specification (System Properties)
Temporal logic formulas, refinement
6
Model Checking

• Drawbacks
• State explosion
• scalability

7
Java Pathfinder

• Java PathFinder (JPF) is a system to verify
  executable Java bytecode programs. In its basic
  form, it is a Java Virtual Machine (JVM) that is
  used as an explicit state software model checker,
  systematically exploring all potential execution
  paths of a program to find violations of
  properties like deadlocks or unhandled exceptions
  (JPF site)

8
Java Pathfinder
9
Model Extraction

• Reducing the state explosion
• Symmetry reductions
• Abstract interpretation
• Static analysis
• Runtime analysis

10
What can be checked with JPF

• Out of the box
• Deadlock and unhandled exceptions
• Race conditions and heap bounds
• Almost every java applications
• Closed systems
• No support for java.awt and java.net
• Limited support for java.io and reflection
• No support for libraries with native code
• Application size 10Kloc

11
Java Pathfinder Extensibility

• Users can implement their own properties to be
  checked
• Search/VMListener
• Provide an Listener to specific JPF events

12
Running JPF

• Download it from the svn repository (strongly
  recommended)
• Run the JPF class passing the class to be checked
  as parameter
• Lots of possible parameters
• Lacks an usable interface (GUI)

13
Our work
14
Parallelizing Java

• Automatic transformations to convert a sequential
  Java program into a concurrent one.
• Issues concerning the transformations
  correctness
• It should not introduce errors in the original
  program
• Take advantage of multiprocessors

15
Parallelizing Java
Sequential
Concurrent
com1 com2 com3 com4 com5
Splitting
com1 com2 com5
com3 com4
16
Why Java Pathfinder?

• We believe in the possibility of extending it to
  check data sharing
• Semantic verification would allow us to deal with
  reference aliasing
• Independent commands would be put in parallel
• Data flow analysis would tell us which commands
  are independent (work in different data
  partitions)

17
Dataflow Analysis

• Conta c new Conta(1234-5)
• Conta d c
• int i Math.random() 10
• d.setSaldo(100.0)
• c.creditar(50.0)
• int j i 50

18
Final Remarks

• Java Pathfinder is a powerful tool to verify java
  programs
• But its use requires some expertise
• Very useful when working with concurrency
• Its extensibility mechanism greatly increases the
  way it can be exploited

19
References

• Java Pathfinder site
• http//javapathfinder.sourceforge.net/
• Model Checking Programs (JPF paper)
• Four Lectures on Model Checking