CS294, YelickESC, p1 CS 294-8 Extended Static Checking

Slides:



Advertisements
Similar presentations
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Advertisements

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
ITEC200 Week02 Program Correctness and Efficiency.
Software Engineering and Design Principles Chapter 1.
CIS 101: Computer Programming and Problem Solving Lecture 8 Usman Roshan Department of Computer Science NJIT.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Systems Wireless EmBedded nesC Update Eric Brewer with help from David Culler, David Gay, Phil Levis, Rob von Behren, and Matt Welsh.
Software Testing and Quality Assurance
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.
CSC 395 – Software Engineering Lecture 21: Overview of the Term & What Goes in a Data Dictionary.
Describing Syntax and Semantics
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
SWE 619 © Paul Ammann Procedural Abstraction and Design by Contract Paul Ammann Information & Software Engineering SWE 619 Software Construction cs.gmu.edu/~pammann/
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
CS 363 Comparative Programming Languages Semantics.
Formal Verification Lecture 9. Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems.
CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright , Matt Dwyer, John Hatcliff, and.
CS Data Structures I Chapter 2 Principles of Programming & Software Engineering.
1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.
Chapter 3 Part II Describing Syntax and Semantics.
Pre- and postconditions, Using assertions and exceptions 1 Pre- and postconditions Using assertions and exceptions.
Software Engineering 4, Julian Richardson, 30 April Static Analysis Software Engineering HX3 Julian Richardson
Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
CS527 Topics in Software Engineering (Software Testing and Analysis) Darko Marinov August 30, 2011.
CS533 – Spring Jeanie M. Schwenk Experiences and Processes and Monitors with Mesa What is Mesa? “Mesa is a strongly typed, block structured programming.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
Agenda  Quick Review  Finish Introduction  Java Threads.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
Healing Data Races On-The-Fly
Types for Programs and Proofs
CSE 374 Programming Concepts & Tools
Multiple Writers and Races
Accessible Formal Methods A Study of the Java Modeling Language
Hoare-style program verification
Java Modeling Language (JML)
Presentation transcript:

CS294, YelickESC, p1 CS Extended Static Checking

CS294, YelickESC, p2 Agenda Intro and recap Overview of ESC (M3 and Java) Comparison and Discussion

CS294, YelickESC, p3 Two Themes in Reliable Software Limit scope of errors: –Prevent buggy/malicious app from doing harm to others –Both direct (access to data) and indirect (hogging resources) are important –The OS may be viewed a special: the “trusted arbiter” of limited resources Make the program itself run correctly –Adhere to some reasonable programming discipline –Need to specify the discipline

CS294, YelickESC, p4 Dealing with Buggy Software Dynamic approaches –Restrict access in HW or OS (kernel) –Software Fault Isolation –Checked exceptions and assertions –Virtual machines (e.g., JVM) Static approaches –Type checking –Verification –Restricted languages (avoid bugs)

CS294, YelickESC, p5 Recap of Engler Talk How general was the approach? How useful was it? What about soundness/completeness? How could they find bugs in the Flash code that a “verification” missed? What is the right measure of success for this kind of work? # bugs in popular code? Others?

CS294, YelickESC, p6 Useful Classes of Rules Never/always do X Never/always do X before/after Y In situation X, do/don’t perform Y –Use locks; rollback state if failure Plus some “optimization-related” –Do X rather than Y –In situation Z, do X rather than Y How powerful is the language –For X, Y, Z expressions –Never/always/when and before/after control

CS294, YelickESC, p7 Extended Static Checking Similar goals to the MC work –Check certain properties of programs –Not full verification Differences –Requires specifications rather than state machine –Uses a theorem prover engine –Emphasis: control vs. abstraction –Languages: C vs. M3&Java

CS294, YelickESC, p8 Edit/Prove/Debug Loop Annotated Program Verification Condition Generator Theorem Prover Error message “Sorry, can’t find any more errors” Post Processor

CS294, YelickESC, p9 Default Errors in ESC ESC acts like a power lint; it checks: –Array bounds errors –Subrange errors –Null derefs –Narrowing type cast error –Missing returns –Exceptions not declared –Divide or mod by zero

CS294, YelickESC, p10 ESC Specification Language Programmer can add specifications: –Procedures and methods –Abstraction –Concurrency –Invariants: loop, module, assertion ESC/Java allows for Java expressions in writing annotations

CS294, YelickESC, p11 Procedures in ESC Procedure and methods: –Modifies: list of all variable that could be modified –Requires (precondition) –Ensures (postcondition)

CS294, YelickESC, p12 ESC/Java Syntax Annotations are Java comments with I.e., … */ 4 categories of annotations (pragmas) –Lexical: where comments are allowed –Statement: where statements are allowed –Declaration: where declaration of class and interface members are allowed –Modifier: within declarations

CS294, YelickESC, p13 ESC/Java Pragmas Requires E; assume E in body of method and warn if can’t be proven at call sites Modifies S; will assume calls only modify these fields (does not check body) Ensures E; assumes true after calls, and proves for body Assume E; assume E is true and ignore branches where it is false Assert E; issue a warning if E cannot be proved Nowarn L; turn off these warnings

CS294, YelickESC, p14 Concurrency in ESC ESC provides support for concurrent programs: –Accessing protected variables without a lock –Acquiring locks out of order (for deadlock avoidance) The programmer needs to specify –which variables are protected and –what order locks should be acquired Specified using general axiom facility – –Where “<“ denote lock acquisition order

CS294, YelickESC, p15 Concurrency in ESC Note that this may be more restrictive than necessary, but is reasonable (?) practice. –Having a global lock acquisition order –Protecting a shared variable by a fixed lock Example: INTERFACE Rd; … TYPE T <: MUTEX; <* SPEC GetChar(rd) MODIFIES state[rd] REQUIRES valid[rd] AND sup(LL)

CS294, YelickESC, p16 Concurrency in ESC and MC ESC and MC check properties of concurrent programs, but does not check the concurrency directly. –ESC analyzes locks, MC interrupts –Neither analyze thread creation (e.g., to see if there is real concurrency) Some of the more interesting properties (and bugs) come from currency Are there other common bugs one should detect?

CS294, YelickESC, p17 Abstractions in ESC ESC takes on global analysis and thus abstraction as a primary focus. Problem: specifications need to describe variable modifications that are not in scope Solution: Use abstract variables in the specification. May have axioms on those variables (as in SPEC)

CS294, YelickESC, p18 Data Abstraction in ESC Downward closure –Modifying an abstract variable implies license to modify concrete ones Lack of soundness –Need to link modifications of concrete and abstract variables Depends maps DEPENDS Rd.state[rd: Rd.T] ON rd.st, rd.lo, rd.cur, rd.hi, rd.buff, rd.buff^

CS294, YelickESC, p19 Comparisons to MC Could everything done in MC framework be done in ESC? Consider X after Y –Make Y’s spec ensure some property “P” E.g., interrupt = off –Make X’s spec ensure ~P E.g., interrupt = on –Give all other procedures Requires: interrupt on Ensures: interrupt on Last point is key to simplicity: property enforced globally without adding specs everywhere

CS294, YelickESC, p20 Comparison: ESC and MC Choice of language is critical –Modula 3 and Java, vs. –C Differences in –Popularity –Classes of errors that arise C is the easy case

CS294, YelickESC, p21 Comparison: ESC and Java Difference in background of work –ESC comes from basic principles Theorem proving, verification –MC comes from systems programming How was Exokernel written? What are good rules to follow in writing systems? Related difference –Effort on the tool vs. effort on the examples

CS294, YelickESC, p22 Thoughts for Thursday Larus will be talking about an alternate programming style for servers –Events vs. threads –Related to Telegraph, Ninja, others? What programming problems likely to arise in this style? How could checkers help?

CS294, YelickESC, p23 Administrivia Jim Larus speaking Thursday –Draft paper online Final projects: –Send mail to schedule meeting with me Next week: –Tuesday ? –Thursday: Kar and (the other) Hellerstein-- completely different approach to system reliability –Following Tuesday: guest lecture by Aaron Brown on benchmarks; related to Kar and Hellerstein work. –Still to come: Gray, Lamport, and Liskov

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.