An Eclipse Plug-in for the Java PathFinder Runtime ... - ESSeRE

An Eclipse Plug-in for the Java PathFinder Runtime ... - ESSeRE

An Eclipse Plug-in for the Java PathFinder Runtime VerificationSystem1Ivano RigoUniversita’ degli Studi di Milano Bicocca, MilanoFrancesca Arcelli FontanaUniversita’ degli Studi di Milano Bicocca, MilanoClaudia RaibuletUniversita’ degli Studi di Milano Bicocca, MilanoLuigi UbezioUniversita’ degli Studi di Milano Bicocca, MilanoABSTRACTJava PathFinder (JPF) is an explicit state model checkerdeveloped by the Automated Software Engineering Groupof NASA of the AMES Research Center (California).Eclipse is probably the most important and used Java IntegratedDeveloping Environment (IDE) and not only; it isa framework/environment that can be easily extended bya developer by integrating new functions by exploiting itsplug-in mechanism. Through a JPF plug-in for Eclipse it ispossible to integrate powerful model checking and testingcapabilities into the development environment.This paperpresents the re-design of the standalone version of JPFtowards an Eclipse plug-in exploiting and outlining in thisway the advantages of an open source development.1. INTRODUCTIONWe often rely on digital controllers to supervise criticalor not critical events and to control automatic machines.Traffic control, telecommunication and cellular phones,privacy protection, ATM systems are examples of systemsinvolving critical software, where quality assurancebecomes an irrenounceable prerogative.Model checking [16, 17] is a collection of techniques forthe analysis of reactive systems to verify their stability andreliability because errors in the design of safety-critical aspectscan elude conventional simulation and testing techniques.A model checker takes as input a description ofthe software system to be analyzed, or directly the sourceor the executable code with a number of properties thatare expected to hold.JPF [9, 10, 14] is an explicit state software model checkerfor the Java bytecode, with a virtual machine that executessoftware components, checking for properties violationslike deadlocks, unhandled exceptions or user definedproperties along all potential execution paths/states. JPFoffers many powerful extension, integration and controlmechanisms and moreover it is an open source projecthence it is possible to easily integrate its verification enginein other applications by modifying the JPF core toadapt it to different requirements.Eclipse [2, 7], the most popular Java IDE supplies extensionpoints that can be used to interact with the environmentand the projects or to add new graphical elementsat its interface. Using the JPF model checking engine inthe Eclipse IDE it is possible to analyze a software duringthe development phase in an easy way, using a friendlygraphic user interface (GUI), giving to the developers thepossibility to create a reliable software through the engineeringand encoding phases. Moreover, using the Javacapability of being a modeling language, it is fast to createa model for a software written in any language and test itsfirmware, middleware and critical hardware managementproperties, usually written in C, C++ or assembler. Startingfrom the Java model is sufficient to translate it in theoriginal language. The JPF plug-in can be used to drivethe development of various types of applications to a reliabilitytarget. Hence, in this paper we describe our interestingand useful experience gained using open source toolsas the Eclipse platform for NASA projects. The detaileddescription of the JPF Eclipse plug-in is presented in [18].Through the JPF Eclipse plug-in, users are able to controlthe JPF execution, display what it is doing and query astate. This activity started in collaboration with the NASAAutomated S.E. Group, in particular under the supervisionand direction of Peter Mehlitz.1.1. JPF PLUG-IN TARGETSThe most important motivations that have driven us to developan Eclipse Plug-in for JPF are the following:1

• JPF is a powerful model checker for the Java bytecode[5], but it works in a command line mode, so itsusage is not ”user friendly”. Using the SWT (StandardWidget Tools) provided by the Eclipse platform,to create a graphical execution and configuration environmentfor the JPF has become less difficult thanto create a stand alone software with a graphical interface.(the .jar files). The entire model checking verification logicresides inside the JPFs core libraries.• Eclipse permits the iteration on projects, so that theJPF plug-in can test directly a complete project createdwith Eclipse. In this way the model checkingof a software can be made during the developmentphase.• Eclipse does not have already an integrated modelchecker. In this way a new interesting functionalityfor the development platform has been added and,furthermore, there has been created the basis to integratenew additional more complex functionalities.• Java can be easily used as a modeling language.Eclipse has a powerful environment for the Java developmentcalled JDT (Java Development Toolkit).Using these characteristics it is possible to test amodel (written in Java) for a critical software orfirmware written in another programming language.• The model checking during the development phasepermits to create a reliable software in an easy way.2. THE IMPLEMENTATION APPROACHThe Eclipse plug-in [1] development has followed an engineeringprocess [3] residing at an half-way between thestandard engineering process and the extreme programmingimplementation approach. After studying the plug-intasks, the development guidelines were defined and furthermore,an architectural base structure was designed.During the plug-in implementation, the architecture hasbeen modified due to the unexpected aspects emergedfrom the need to add new functions, to divide the logic ofvery large classes in more specialized sub-classes and tofollow the changes of JPF, which is still under evolutionand optimization. Moreover, being the first integration ofthe JPF into Eclipse, the architecture has endured otherchanges due to the problems raised by the runtime classloading of JPF. The aspect that needed more changes regardsthe variable value real time debugging. This aspecthas been an add-on to our plug-in features, because thefirst target was to give a user friendly graphical interface toJPF. The variable value real time debugging is an addedvalue at our plug-in that permits to know the variable statewhen an error is detected by the JPF.Figure 1: The JPF Plug-in vs. a Standard Plug-inAs it is possible to see in Figure 1 the JPF plug-in differsfrom a standard implementation of a plug-in under this aspect:usually a plug-in is an ”all in one” component; boththe business logic and the Eclipse interfacing functionalityreside inside the ”new tool” implementation. Using theinterfacing mechanisms provided by the JPF, the plug-ininteracts with the model checker to command the executionaccording with the action made by the user on theplug-in graphical interface and reports the model checkingresults on the Eclipse GUI. The JPF business logicresides in these packages:• ”open-jpf.jar”: which implements the JPF modelchecking core.• ”env-jpf.jar”: which implements the execution environmentof the JPF.• ”env-jvm.jar”: which implements the JPF simulationvirtual machine.These packages can be built by a developer who has a”source” release of JPF. It is possible to modify some componentsof the the JPF model checking core to adapt it tothe application before the creation of the libraries.2.1. THE JPF PLUG-IN SOFTWARE ARCHITECTUREThe Eclipse plug-in for the JPF has been designed to becomean ”‘interface”’ between the Eclipse Integrated DevelopmentEnvironment and the core of the JPF modelchecker which is integrated in the plug-in using librariesFigure 2: The JPF Core Structure for JPF Plug-in2

ties. When a property is computed, there is no needfor the corresponding logic to save the value, since theuser cannot update this value. Properties pages are commonlyused to view and set the application-specific propertiesof a resource. Since the property page knows itsresources, the resources API can be used in the pageto initialize control values or to set new property valuesbased on user selections in the properties page. ”JPF-SetupPropertyPage” is a simple properties page with twocheckboxes which determine what type of variable valuesanalysis to perform and to decide if system and JPF errorsare shown on the console view. When you ”rightclick”on a project and when you select ”properties” a windowwith a list of properties pages will be displayed. SelectingJPF from this list, the JPF plug-in properties pagewill appear. The class implementing this interface definesthe graphical environment and save the choices madeby the user. ”JPFSetupPropertyPage” defines a set of”static final” variables containing the strings shown on theproperty page interface. Furthermore, ”JPFSetupPropertyPage”defines all the methods necessary to implementthe ”PropertyPage” as private or protected. These methodsare necessary to create the properties page instanceinside the Eclipse environment. ”JPFSetupPropertyPage”interacts with a ”SelectionListener” implementation called”Btn1Listener”. ”Btn1Listener” is associated to the checkbox that enables the variables values checking and adaptsthe properties page graphical interface to the check boxvalue.The JPF core controller (see Figure 8) is a simple class:it supplies only the methods strictly necessary to create aJPF core instance and to command it.• ”JPFCreate()” creates a new JPF instance throughthe parameter in the string array ”args”. If the controlleris unable to load a new instance a null pointeris returned.• ”JPFStart()” starts a model checking process parameterizedwith the settings passed to the ”JPFCreate”method. The start is performed calling the ”run”method defined by the ”Thread” interface.• ”JPFPause()”, ”JPFStart()” and ”JPFStop()” performthe action specified by the name on the model checkingthread.Java and Sun advice users to not use this last ”Thread”method, because, deadlock errors can be easily generatedwhen developing concurrent applications. In the JPFplug-in we are not in the presence of a concurrent application.It is possible to call these methods without problems.The usefulness is simply to stop, definitively or temporarily,a computational intensive model checking process.The JPFCleanUp method destroys a temporarilystopped model checking to free memory and resourcesfor a new analysis. Respect to this, the JPF core implementationhas been modified because it implements the”Runnable” interface. This interface does not permit tostop, pause or resume a thread execution. While, the extensionof the ”Thread” class permits a high level interactionwith the JPF directly from the plug-in by simply callinga method.4. CONCLUSIONS AND FUTURE DEVELOPMENTSThe JPF Eclipse Plug-in has been developed as a workingprototype, ready to be extended in order to integrate newfunctionalities. To test the plug-in, some projects havebeen built in a new Eclipse IDE with JPF Eclipse Applicationinstalled. These projects have different complexityand have been created first to test the correctness of theplug-in (simple projects act to verify the absence of errorsin the application), then to stress the plug-in and JPFand moreover, to verify the system resource requirementsof the model checker integrated in the IDE. The series oftests have been performed using the examples distributedin the JPF web site or using the CVS system. These seriesof Java samples have been specifically created bythe BASA developers to test the capacity of the modelchecker: these are voluntary created with logical errors,assertion violation, uncaught exceptions, and deadlocks[11, 15].The current version of the Eclipse application works correctly,following the prefixed specification by integratingadvanced model checking functionalities and extra functionsas the real time variable value debugging. The JPFPlug-in has been engineered to improve further developmentsand can be easily used in the Eclipse 3.0 and laterversions by simply copying the ”.jar” distribution file insidethe ”plugin” folder of the Eclipse IDE. The possiblefuture developments regard the addition of new configurationsfor the model checking process, the extension ofthe graphical interface with Eclipse Rich Client, the graphicalanalysis of the model checking process using graphs,which are more detailed for the intermediate model checkingresults and for the real-time variable values debugging.ACKNOWLEDGEMENTSFigure 8: The JPF Controller Class DiagramWe would like to deeply thank Peter C. Mehlitz from theAutomated Software Engineering, NASA Group AmesResearch Center for his always valuable advices and suggestionsduring this work. We greatly thank also John6

Penix and Masoud Mansouri-Samani of the same ResearchCenter.REFERENCES[1] Erich Gamma, Kent Beck - Contributing to Eclipse:Principles, Patterns, and Plug-Ins, Addison Wesley;October 20, 2003.[2] Steve Holzner - Eclipse CookBook, O’Reilly; June2004[3] Ian Sommerville - Software Engineering (6th Edition),Addison Wesley; 6 edition, August 11, 2000.[4] IBM Corp. -; 2000,2001. Eclipse - Platform Plug-In Developer Guide[5] IBM Corp. -; June20, 2002 Java Development Tooling overview[6] IBM Corp. -; June20, 2002 Using the Plug-in Development Environment[7] IBM Corp. -; 2000,2004. Welcome to Eclipse[8] Erich Gamma, Richard Helm, Ralph Johnson, JohnVlissides - Addison-Wesley Professional, 1st edition;January 15, 1995. Design Patterns: Elements ofReusable Object Oriented Software[9] Peter C. Mehlitz, Willem Visser, John Penix - NASAAmes Research Center, April, 2005. The JPF RuntimeVerification System[10] Java Path Finder Version 3.1.1 User Guide[11] Willem Visser, Corina S. Pasareanu, Sarfraz Khurshid- NASA Ames Research Center. Test Input Generationwith Java PathFinde, Proceedings of ISSTA2004. Boston, MA, July 2004.[12] JPF Listeners - Search and VMListeners - the JPFExtension Structure[13] MJI Interface - MJI - the Model Java Interface[14] Willem Visser, Klaus Havelund, Guillaume Brat, SeungJoonPark and F. Lerda - NASA Ames ResearchCenter Model Checking Programs, Automated SoftwareEngineering Journal. Volume 10, Number 2,April 2003.[15] C. S. Pasareanu, Willem Visser - NASA Ames ResearchCenter. Verification of Java Programs usingSymbolic Execution and Invariant Generation,Proceedings of SPIN 2004. Barcelona, Spian, April2004 . LNCS 2989.[16] D. Giannakopoulou, C. S. Pasareanu, J. M. Cobleigh.- NASA Ames Research Center. Assume-guaranteeVerification of Source Code with Design-Level Assumptions,Proceedings of the the 26th InternationalConference on Software Engineering (ICSE). Edinburgh,Scotland. May 2004.[17] Stephan Merz - Model Checking: A TutorialOverview, 2002.[18] Ivano Rigo - An Eclipse Plug-In for the JavaPathFinder Runtime Verification System, MasterThesis, University of Milano-Bicocca, Italy, Decembre2005.7

More magazines by this user
Similar magazines