1 / 16

Reasoning About Exceptions Using Model Checking

Reasoning About Exceptions Using Model Checking. Reid Simmons David Garlan Jeannette M. Wing George Fairbanks, Gil Tolle, Balaji Sarpeshkar, Joe Jiang. Computer Science Department Carnegie Mellon University Pittsburgh, PA. Outline. Why Model Check Exceptions? Approach IEL MOPED

amehta
Télécharger la présentation

Reasoning About Exceptions Using Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reasoning About ExceptionsUsing Model Checking Reid SimmonsDavid GarlanJeannette M. WingGeorge Fairbanks, Gil Tolle, Balaji Sarpeshkar, Joe Jiang Computer Science Department Carnegie Mellon University Pittsburgh, PA

  2. Outline • Why Model Check Exceptions? • Approach • IEL • MOPED • Translations • “Gotchas” • Example • Vending Machine May 1, 2003

  3. Exceptions in Programming Languages • Raising Exceptions • Throw of named/typed exceptions • Catch by nearest matching handler • Exceptions may form inheritance hierarchy • “Clean up” Construct • Finally / Unwind-protect • Executed in both nominal and exceptional situations • Semantics • Termination (C++, Java, Lisp) • Resumption (Mesa, Eiffel, TDL) May 1, 2003

  4. Why Hard? • Non-Local Flow of Control • Context of “Catch” Frames Determined Dynamically • “Clean Up” Construct Adds Additional Pathways • Hard to Reason About All Possible Execution Paths • Impossible To Do So Purely Locally May 1, 2003

  5. Source Code IEL MOPED Counter Example Specifications Overview of Our Approach May 1, 2003

  6. Intermediate Exception Language (IEL) • Captures Commonalities of Exception Handling Among Different Languages • Focuses on Control-Flow Constructs Relevant to Reasoning About Exceptions • Catch/Throw/Finally • Iteration and Conditionals • Break and Return • Assignment • Procedures • Hierarchical Exceptions • Minimal Data Representation • No value-returning functions May 1, 2003

  7. IEL Example: Resource Locking var locked: int exception e1 procedure main () { locked := 0 while true { try { lock() randomException() unlock() } catch e1 { /* unlock() */ } } } procedure lock () { if locked = 1 then error() if locked = 0 then locked := 1 } procedure randomException () { if (p) throw e1 } May 1, 2003

  8. MOPED • Model Checker for Push-Down Automata • Stefan Schwoon’s PhD Thesis • Symbolic Model Checker • Handles Procedures with Local Variables • Need to Explicitly Handle Frame Axioms • Verifies LTL State Reachability Formulae • Currently cannot handle LTL formulae involving variables • Minimal Data Representation May 1, 2003

  9. Translating IEL  MOPED • Create Local Translation Rules for Each IEL Construct • Assign ( x := y) q <procN> --> q <procN+1> (x’ = y & frameAllExcept(x)) • Conditional ( if p then stmt) q <procN> --> q <procN+1> “if true” (p = 1 & frameAll) q <procN> --> q <procN’> “if false” (p = 0 & frameAll) …stmt… q<procN’> … • Throw ( throw ex) q <procN> --> q <procEx> (ex’ = 1 & …) • Try/Catch ( try { tryblock } catch ex { catchblock}) q <procN> --> q<procTry> “jump past catch” (frameAll) q <procEx> --> q<procCatch> “caught ex” (ex = 1 & …) q <procEx> --> q<procN> “didn’t catch ex” (ex = 0 & …) …catchBlock translation… …tryBlock translation… q <procN> … May 1, 2003

  10. “Gotchas” • Exception Hierarchy • (Nested) Finally Blocks • Break and Return Statements May 1, 2003

  11. Modeling Exception Hierarchy exception e0 exception e1 extends e0 try { throw e1 } catch e0 {} • Preprocess IEL Code to Determine Hierarchy • “Throw” Explicitly Sets Exception and All Its Parents q <procN> --> q <procEx> (e1’ = 1 & e0’ = 1 & …) • Matching “Catch” Clears All Exceptions q <procN> --> q <procN+1> (e0’ = 0 & e1’ = 0 & e2’ = 0 & …) May 1, 2003

  12. Modeling Finally Blocks try { if q then throw e1 } finally { try { if p then throw e2 } catch e1 { x := x / 0 } x := x + 1 } • Store State of Exceptions Upon Entering Finally Block • Clear All Exceptions Before Executing Finally Block • Restore Exception State at End of Finally Block, Unless a New Exception Was Raised May 1, 2003

  13. Modeling Nested Finally Blocks NL = 0; EL = -1 try { throw e1 } finally { try { if p then throw e2 } finally { x := x + 1 } x := x + 1 } • Store State of Exceptions Upon Entering Finally Plus Keep Track of “nesting level” and “exception level” • Increment “nesting level” on Entering, and Decrement on Exit • Clear All Exceptions Before Executing Finally Block • Before Entering Finally Block with an Exception, Set “exception level” to “nesting level” • Propagate Exception on Exit if “exception level” equals “nesting level” • try { • throw e1 • } finally { • try { • throw e2 • } catch e2 { } • finally { } • x := x + 1 • } NL = 1 EL = 0 NL = 2 EL = 1/0 NL = 1 NL = 0 May 1, 2003

  14. Modeling Break and Return Statements • “Break” and “Return” Interact in Interesting Ways with Exceptions and Finally Blocks • while (x < 5) { • try { • if x = 3 then { • try { • throw e1 • } finally { • try { • break • } finally { • x := x * 5 • } • } • } • } catch e1 {} • x := x+1 • } • x := x - 2 • while (x < 5) { • try { • if x = 3 then { • try { • break • } finally { • try { • throw e1 • } finally { • x := x * 5 • } • } • } • } catch e1 {} • x := x+1 • } • x := x - 2 Approach: Treat “Break” and “Return” as Exceptions that do not Propagate!! May 1, 2003

  15. Example: Vending Machine • Model of Vending Machine • Machine vends product, if it has that product in stock and sufficient $$ put in • Represented by Java program that has significant exceptions • From TSE article by Sinha & Harrold • Verify that if Money is Put in the Machine, Eventually it will either Return Money or Vend Product • Static analysis is insufficient • Hand-coded IEL program from Java source;Automated IEL  MOPED translation • Found bug in the program (could keep on adding money indefinitely – no limit) May 1, 2003

  16. Ongoing and Future Work • Translating Java  IEL • Work in Progress • Parser and Most of Translator Exist • Main Difficulty in Dealing with Objects • Complex data structures, Inheritance, Dynamic memory allocation • Add Specification Language to IEL • Translate Other Languages (C++, Lisp) • Model Resumption Model of Exceptions • Test on Software with Significant Exceptions May 1, 2003

More Related