Symbolic execution with Java Pathfinder

Jpf has an extension for symbolically executing Java bytecode (called SPF ). I have been using SPF for analyzing some pieces of code. this post introduces installation and basic deployments of SPF to help jpf beginners. as the official documents are really
More suitable for those experienced jpf users.

Install Java Pathfinder (jpf-Core + jpf-symbc)

Step 1: Download sources

I am using eclipse as Java IDE, so here I assume you are using eclipse. for downloading the sources of jpf, we can import projects from its mercurial repositories (if you do not have mercurial plugin installed, please install it before moving on ).

• URL for jpf-core: http://babelfish.arc.nasa.gov/hg/jpf/jpf-core
• URL for jpf-symbc: http://babelfish.arc.nasa.gov/hg/jpf/jpf-symbc (jpf-symbc is the symbolic extension for jpf)

Step 2: Build the jpf-core and jpf-symbc

Jpf projects are ant-based, so you should use ant to build these two projects. Then you are done with installation.

Jpf configuration (assume we are using eclipse plugin to run jpf, here tells you how to install the plugin)

Step 1: copy the imported two projects (jpf-core and jpf-symbc) to a safe place in your machine (to avoid modification)

I put them under c: \ Users \ me \ projects \ jpf \

Step 2: configure the site. properties File

Create a folder call ". jpf" under your home directory (as Eclipse jpf plugin by default seaches ~ /. Jpf for the configuration file). Windows does not allow a folder name starting with a dot, so you can use command line tools to create this folder. Under
Folder, create a site. properties file with the following content

# JPF site configurationjpf.home = ${user.home}/projects/jpf# can only expand system propertiesjpf-core = ${user.home}/projects/jpf/jpf-core# annotation properties extensionjpf-aprop = ${jpf.home}/jpf-apropextensions+=,${jpf-aprop}# numeric extensionjpf-numeric = ${jpf.home}/jpf-numericextensions+=,${jpf-numeric}# symbolic extensionjpf-symbc = ${jpf.home}/jpf-symbcextensions+=,${jpf-symbc}# concurrent extension#jpf-concurrent = ${jpf.home}/jpf-concurrent#extensions+=,${jpf-concurrent}jpf-shell = ${jpf.home}/jpf-shellextensions+=,${jpf-shell}jpf-awt = ${jpf.home}/jpf-awtextensions+=,${jpf-awt}jpf-awt-shell = ${jpf.home}/jpf-awt-shelsextensions+=,${jpf-awt-shell}

Note that even in windows, the path separator is slash (/) instead of back slash (\). sometimes, back slash is OK, but occasionally it causes problems. so using slash is suggested according to my personal experience.

Run SPF (with and without plugin)

1. Using jpf plugin to verify Java programs

Jpf plugin knows where the jpf and SPF classes reside (jars under the build folder of jpf-core and jpf-symbc), so using plugin saves a of Lot efforts. please make sure that in eclipse, window-> preference-> JAVA-> jpf preference-> path to site. properties points
To the directory where we create the configuration file (by default it is set up correctly ).

Suppose we create a new Java project "testjpf" and a class "myclass ".

public class MyClass {public int myMethod(int x, int y){int z = x + y;if (z > 0) {if(y>0){z = 1;} else{z = -1;}//System.out.println("path 1 explored");} else {if(x>0){z = z - x;} else{z = z + x;}//System.out.println("path 2 explored");}z = 2 * z;return z;}public static void main(String[] args){MyClass mc = new MyClass();mc.myMethod(1, 2);}

We can symbolically run the mymethod () method to each e every possible path, and SPF can help generate test cases to cover those paths (test generation is the typical magic of symbolic execution ). in order to do so, you only need to create
A. jpf file under the project folder. lets call it myclass. jpf. IT Content specifies the configuration of SPF. jpf is a great tool, but its configuration is intimidating. jpf's flexibility comes with a price.

target=MyClassclasspath=D:\\java_workspace\\TestJPF\\binsymbolic.method=MyClass.myMethod(sym#sym)#listener=gov.nasa.jpf.symbc.SymbolicListener#vm.storage.class=nil#search.multiple_errors=true#symbolic.debug=true

The right click myclass. jpf, and click "verify", you should the following content printed on Eclipse console.

Executing command: java -jar C:\Users\andrewust\projects\jpf\jpf-core\build\RunJPF.jar +shell.port=4242 D:\java_workspace\Temp\MyClass.jpf Running Symbolic PathFinder ...symbolic.dp=chocosymbolic.string_dp_timeout_ms=0symbolic.string_dp=nonesymbolic.choco_time_bound=30000symbolic.minint=-1000000symbolic.maxint=1000000symbolic.minreal=-10000.0symbolic.maxreal=10000.0symbolic.undefined=-1000000JavaPathfinder v6.0 (rev ${version}) - (C) RIACS/NASA Ames Research Center====================================================== system under testapplication: MyClass.java====================================================== search started: 5/17/12 8:20 PM====================================================== resultsno errors detected====================================================== statisticselapsed time:       00:00:00states:             new=7, visited=0, backtracked=7, end=4search:             maxDepth=3, constraints hit=0choice generators:  thread=1 (signal=0, lock=1, shared ref=0), data=3heap:               new=321, released=42, max live=321, gc-cycles=5instructions:       2974max memory:         59MBloaded code:        classes=75, methods=960====================================================== search finished: 5/17/12 8:20 PM

In the future post, I will explain those configuration parameters in A. jpf file. The minimal set contains des target, classpath, and symbolic. method.

2. configure a eclipse run to symbolically execute a method

Here we don't need any. jpf file to specify jpf deployments. we specify them as Java properties (arguments when running a program using "Java myclass XXXX") by grouping a run.

Step 1 add jpf-core and jpf-symbc to buildpath (without jpf-plugin, We need to explicitly add them as library so that JVM can find corresponding classes)

You can simply add the jars under jpf-core/build, jpf-core/lib, jpf-symbc/build, and jpf-symbc/lib as external jars. or create user libraries to organize those jars. for example, I create jpf-core, jpf-symbc, and jpf-Lib for holding those jars, and then
Add the three libraries to my build path.

Step 2 run Configuration

The we are done here. Click Run, you will see the same results as in the run with plugin.