Reasoning about Safety Critical Java Chris Marriott 27 th January 2011
Motivation Safety critical systems are becoming part of everyday life Failure can potentially lead to serious consequences Verification and certification for safety-critical systems [1] Formal methods are only practical with tool support [2] [1] John Knight. 2005. Safety Critical Systems: Challenges and Directions. [2] Corin Gurr. 1995. Supporting Formal Reasoning for Safety Critical Systems. 2
Motivation (2) Java has widespread use Large scale programs require high productivity Java has a large sustained community Java verification exists [3] SCJ Community already exists Industry interested [3] Bart Jacobs, Joseph Kiniry & Martijn Wariner. 2002. Java Program Verification Challenges. 3
Java 4
Reasoning Techniques - Java Java PathFinder (JPF) Perfect Developer Java Modeling Language (JML) Extended Static Checking (ESC/Java) Java Applet Correctness Kit (Jack) Java Interactive Verification Env. (Jive) Krakatoa KeY System 5
Java PathFinder [4] Translates Java into Promela SPIN model checker Based on assertions Subset of Java Dynamic object creation Inheritance Threads Synchronisation Exceptions Thread Interrupts [4] Klaus Havelund & Thomas Pressburger. 2000. Model checking Java programs using Java PathFinder. 6
Java PathFinder (2) Used with real-world NASA examples Difficult in large-scale systems Error reporting through print statements Is the translation optimal? Is Promela actually needed? 7
Perfect Developer [5,6] Produces Java, C++ or Ada code from a specification Can provide an implementation manually Proof obligations created automatically Proofs discharged automatically Over 90% success rate for a correct program [5] Gareth Carter, Rosemary Monahan & Joseph Morris. 2005. Software Refinement with Perfect Developer. [6] David Crocker. 2003. Perfect Developer: A tool for Object-Oriented Formal Specification and Refinement. 8
Perfect Developer (2) Has been applied to a government IT system [7] Verifier not strong enough Code change / additional assertions No documentation for the PD architecture Specifications for the verifier rather than the program Does not support concurrency [7] David Crocker & Judith Carlton. 2004. A High Productivity Tool for Formally Verified Software Development. 9
JML [8,9,10] Behavioural interface specification language Code annotations Pre / post conditions Loop invariants Tools JML Checker Runtime assertion checking (jmlc & jmlunit) Extended Static Checker (ESC/Java & ESC/Java2) LOOP PVS / Isabelle [8] Gary Leavens, Albert Baker & Clyde Ruby. 1998. JML: a Java Modeling Language. [9] Gary Leavens et al. 2000. JML: notations and tools supporting detailed design in Java. [10] Lilian Burdy et al. 2004. An overview of JML tools and applications. 10
Extended Static Checking for Java [11] Compile time checking Inbetween static checking and formal proofs Very successful and popular [12] Focused on development Neither sound nor complete The tool is considered successful if it finds enough errors to repay the cost of running it [11] Cormac Flanagan et al. 2002. Extended Static Checking for Java. [12] Joseph Kiniry, Patrice Chalin, and Clement Hurlin. 2008. Integrating static checking and interactive verification: Supporting multiple theories and provers in verification. 11
Other Tools Jack [13] Proof obligations for Atelier B, Simplify, and PVS Verification conditions generated per path through code Focused on JavaCARD Similar to LOOP Jive [14] JML annotations (although not necessary) Interactive theorem prover based on Hoare logic Exceptions not handled [13] Lilian Burdy & Antoine Requet. 2002. JACK: Java Applet Correctness Kit. [14] Jorg Meyer & Arnd Poetzsch-Heffter. 2000. An Architecture for Interactive Program Provers. 12
Other Tools (2) Krakatoa [15] Part of the Why software verification platform Does not prove termination of recursive calls Low level of automation for discharging proof obligations KeY [16] First order dynamic logic Programs allowed in pre/post-conditions All Java constructs allowed in the description of states (loops / recursion) Focused on JavaCARD [15] C Marché et al. 2004. The Krakatoa tool for certification of Java/JavaCARD programs annotated in JML. [16] Wolfgang Ahrendt et al. 2005. The key tool. 13
RTSJ 14
RTSJ [17] Subset of Java Designed for real-time systems Differences Schedulable objects & pre-emptive priority based scheduling Synchronisation & resource sharing Time values & clock Memory management Asynchronous transfer of control [17] Andy Wellings & Marisol Garcia Valls. Real-Time Java. 15
Reasoning Techniques - RTSJ KeY [18] JML annotations Translates to dynamic logic Static checking of memory properties Benchmarks (CD x ) [19] Java, RTSJ, SCJ Exceptions Type analysis Memory analysis Blocking analysis Loop bound analysis [18] Christian Engel. Deductive Verification of RTSJ Programs. [19] Tomas Kalibera et al. 2010. Challenge Benchmarks for Verification of Real-time Programs. 16
SCJ 17
Safety Critical Java [20] A subset of RTSJ Programming based on missions and event handlers Different memory model No heap Immortal memory Scoped memory Compliance levels Level 0 Cyclic executive program Level 1 Periodic and aperiodic event handlers Level 2 Real-time no-heap threads Current work on reasoning at levels 0 and 1 [20] The Open Group. 2010. Safety Critical Specification for Java 18
Reasoning Techniques - SCJ Static Checking of Annotations Exhaustive Testing SafeJML 19
Static Checking of Annotations [21] SCJ annotations Level compliance Behavioural compliance May allocate May self suspend Memory safety Define scope Runs-in scope Tool checks implementation against specification Are annotations completely necessary? [21] Daniel Tang, Ales Plsek & Jan Vitek. 2010. Static Checking of Safety Critical Java Annotations. 20
Exhaustive Testing of SCJ [22] JPF extension (R SJ ) Level 0 and 1 support (no APEHs) Memory assignment errors (no need for annotations) Race conditions Priority ceiling emulation violations Dereferencing of null pointers Invalid library calls Array bound violations Divisions by zero Failed assertions State explosion when considering APEHs Bug-hunting tool for real-time Java [22] Tomas Kalibera et al. 2010. Exhaustive Testing of Safety Critical Java. 21
SafeJML [23] First publically available extension to JML for real-time systems Behavioural and timing properties Focused on WCET analysis Behaviour properties not considered Currently the only specification language for SCJ [23] Thaith Haddad, Faraz Hussain & Gary Leavens. 2010. The Design of SafeJML, a Specification Language for SCJ with Support for WCET Specification. 22
Evaluation Tool Language Functional behaviour Memory properties Timing properties JPF Java Yes Yes No Perfect Developer Java Yes Yes No ESC/Java Java Yes Yes No LOOP Java Yes Yes No JACK Java Yes Yes No Jive Java Yes Yes No Krakatoa Java Yes Yes No KeY RTSJ No Yes No SCJ Annotation Checker SCJ No No No R SJ SCJ Yes Yes No SafeJML SCJ No No Yes 23
Conclusion Lots of tools/techniques for Java Less for RTSJ and SCJ Currently no way to verify functional behaviour for SCJ level 1 Model checking can lead to state explosion Theorem proving is difficult to automate 24
Open Questions Can we apply existing tools and techniques to SCJ? Can we extend these techniques? Are SCJ annotations necessary and sufficient? 25